Anomali Labs: Evidence of a New Framework POS Campaign | Anomali

Anomali Labs: Evidence of a New Framework POS Campaign

May 24, 2016 | Luis Mendieta

Anomali labs research team has come across a new FrameworkPOS campaign that seems to be slowly picking up. This campaign although is not as big as the former ones found during our initial research still gives us clues about how active the actors behind this activity are.

Samples observed During the research

HASHC2-domainC2-ipCompile TimeAV hitsFirst observed
f52d927a41c6a201af49f4ba0e95343aa23-33-37-54-deploy-akamaitechnologies[.]com23.33.37.542015-07-20 13:11:256/562016-05-17 15:00
8bd8b0b1dc04a125b2aa777bf96573eca193-45-3-47-deploy-akamaitechnologies[.]com193.45.3.472015-12-05 09:24:445/572016-04-05 10:15

Sample analysis

The samples that were analyzed havent changed from former campaigns. The artifacts and system behavior remained the same. refer to the following link for detailed analysis on [Threat Bulletin 3329] A detailed overview of frameworkPOS malware

Campaign Analysis

A detailed overview of former frameworkPOS campaigns can be observed in [Threat Bulletin 3367] FrameworkPOS Malware Campaign Analysis. In this previous Threat Buletin we identified possible C2 domains of a23-33-37-54-deploy-akamaitechnologies[.]com and a193-45-3-47-deploy-akamaitechnologies[.]com, but at the time we had no samples that used them and could not find any DNS event activity. The new campaign observed follows the same naming convention as the former ones. The new campaign name is gpr1. This campaign seems to have nabbed around 300 creditcard records from two victims so far. One of the victims is possibly and SMB based in honolulu hawaii and the other one based on Chicago.

Observations on the victim data

Anomali labs had the opportunity to analyze the credit card data that was compromised by the actors. One of the interesting aspects of the data was that only track 2 data was found. In other campaigns we observed there was track 1 data present as well. See figure 0:

Possible Timeframe of Exfils

Timeline above illustrate the timeframe in which the domains were first registered and the relationship with the exfils that occurred. The earliest domain registration which is dated 7/17/15 is directly related with the exfil operation in 8/9/15. On the other hand the second domain which was registered 12/11/15 can be directly related with the exfil operation that happened around 3/22/16.

During the lifecycle of this research Anomali labs noticed a few references to POS a software named ALOHA. This could mean two things.

  1. This POS software is very popular and it just happen to be on the compromised terminals.

  2. The actors are actively targeting this specific platform. These two questions will be answered as Anomali labs advances its research on this specific threat.

    Conclusion

    FrameworkPOS has been dormant during the past few months. However, this campaign shows the actor behind this malware are active and well. Anomali labs will continue to monitor for this activity in order to look for new developments.

Luis Mendieta
About the Author

Luis Mendieta

Luis Mendieta is a senior security researcher who enjoys poking inside malware and building automated systems to process threat data. He has 5 years in the security industry, focusing on intelligence and research. Currently at Anomali, Luis researches the latest malware families and builds tools that allows for faster analysis and processing. Previously, he has worked as a senior threat analyst at Verizon supporting cyber security incident response engagements with cyber intelligence capabilities. prior Verizon he worked at Terremak as SOC analyst 2 then moved up the ranks to become investigations analyst. Luis enjoys playing scenario paintball, running and outdoors.

Get the latest threat intelligence news in your email.