Improved FrameWorkPOS spotted alive and well in the wild


It's alive! FrameWorkPOS is still in the wild and it's better than ever with a recent campaign stealing 43,000 credit cards, according to researchers at ThreatStream Labs.

In a Thursday blog post, the researchers noted that a sample of the malware family, aimed at point-of-sale systems, indicated that bad actors have made improvements to the original iteration in subsequent versions.

We were able to leverage passive DNS data to learn more about its scope and some of the victims. The data gave us insight to the following:

“During the analysis of the data 3 different campaigns were observed,” the blog post said, noting that researchers leveraged passive DNS data to gain more insight about the scope of the campaigns and their victims. They noted one campaign to be “more active than others.” What the researchers referred to as the grp10 campaign infected the most hosts though its “running timeframe was 2.5 months which is very short compared to” another campaign, known as grp05. That latter campaign ran from August 2015 to February 2016. The third campaign, grp03, ran for two months but infected 10 IPs.

The researchers noted a total of 67 unique IPs infected and distributed between the U.S. and Russia.

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.