Trusted Design

FRAMEWORKPOS MALWARE CAMPAIGN NABS ~43,000 CREDIT CARDS

概要

Threatstream Labs came across an interesting FrameworkPOS sample that given it is two months old, its digitally signed and its certificate hasn't been revoked. FrameworkPOS is a malware family that targets POS (Point of Sale) terminals and its main objective is to steal credit card data from them in order to be sold in the black market. This blogpost is divided in two sections. The first section aims to analyze the malware's capabilities e.g.: c2 connectivity, encoding mechanisms and overall system activity. The second section will provide an analysis on campaign information that was gathered throughout the research.

Created: 2026-02-23

Indicators

類似Pulses

NitlovePOS: Another New POS Malware (score: 0.67)
Unskal, Saluchtra, Dexter and IeEnablerCby (score: 0.63)
New POS Malware Emerges - Punkey (score: 0.63)
TrendLabs: Spam Campaign Delivers Cross-platform Remote Access Trojan Adwind (score: 0.62)
FighterPOS Gets Worm Routine (score: 0.62)

このPulseに関連する脅威アクター (事実ベース)

Kimsuky

Score: 23.66

Matched TTPs:

T1606.002 - SAML Tokens
T1091 - Replication Through Removable Media
T1140 - Deobfuscate/Decode Files or Information
T1552.003 - Shell History
T1199 - Trusted Relationship
T1132.002 - Non-Standard Encoding
T1526 - Cloud Service Discovery
T1126 - Network Share Connection Removal
T1003.003 - NTDS

MITREへのリンク →

FIN13

Score: 6.94

Matched TTPs:

T1606.002 - SAML Tokens
T1140 - Deobfuscate/Decode Files or Information
T1552.003 - Shell History
T1199 - Trusted Relationship

MITREへのリンク →

Moonstone Sleet

Score: 13.37

Matched TTPs:

T1606.002 - SAML Tokens
T1091 - Replication Through Removable Media
T1573 - Encrypted Channel
T1126 - Network Share Connection Removal
T1547.008 - LSASS Driver

MITREへのリンク →

Indrik Spider

Score: 5.72

Matched TTPs:

T1606.002 - SAML Tokens
T1574.008 - Path Interception by Search Order Hijacking

MITREへのリンク →

Lazarus Group

Score: 20.75

Matched TTPs:

T1606.002 - SAML Tokens
T1199 - Trusted Relationship
T1174 - Password Filter DLL
T1218.010 - Regsvr32
T1055.005 - Thread Local Storage
T1547.008 - LSASS Driver
T1556 - Modify Authentication Process
T1216 - System Script Proxy Execution

MITREへのリンク →

Contagious Interview

Score: 16.55

Matched TTPs:

T1606.002 - SAML Tokens
T1091 - Replication Through Removable Media
T1552.003 - Shell History
T1199 - Trusted Relationship
T1126 - Network Share Connection Removal
T1547.008 - LSASS Driver
T1556 - Modify Authentication Process

MITREへのリンク →

OilRig

Score: 18.68

Matched TTPs:

T1606.002 - SAML Tokens
T1091 - Replication Through Removable Media
T1005 - Data from Local System
T1199 - Trusted Relationship
T1218.010 - Regsvr32
T1526 - Cloud Service Discovery
T1547.008 - LSASS Driver
T1556 - Modify Authentication Process

MITREへのリンク →

UNC3886

Score: 7.52

Matched TTPs:

T1606.002 - SAML Tokens
T1140 - Deobfuscate/Decode Files or Information
T1136.002 - Domain Account
T1218.010 - Regsvr32

MITREへのリンク →

LuminousMoth

Score: 7.38

Matched TTPs:

T1606.002 - SAML Tokens
T1091 - Replication Through Removable Media
T1136.002 - Domain Account
T1199 - Trusted Relationship

MITREへのリンク →

Sandworm Team

Score: 18.50

Matched TTPs:

T1606.002 - SAML Tokens
T1091 - Replication Through Removable Media
T1005 - Data from Local System
T1140 - Deobfuscate/Decode Files or Information
T1199 - Trusted Relationship
T1187 - Forced Authentication
T1573 - Encrypted Channel
T1218.010 - Regsvr32

MITREへのリンク →

Salt Typhoon

Score: 7.16

Matched TTPs:

T1606.002 - SAML Tokens
T1140 - Deobfuscate/Decode Files or Information
T1199 - Trusted Relationship
T1556 - Modify Authentication Process

MITREへのリンク →

APT29

Score: 8.43

Matched TTPs:

T1606.002 - SAML Tokens
T1140 - Deobfuscate/Decode Files or Information
T1199 - Trusted Relationship
T1218.010 - Regsvr32
T1547.008 - LSASS Driver

MITREへのリンク →

Play

Score: 6.94

Matched TTPs:

T1606.002 - SAML Tokens
T1140 - Deobfuscate/Decode Files or Information
T1552.003 - Shell History
T1199 - Trusted Relationship

MITREへのリンク →

Aoqin Dragon

Score: 4.44

Matched TTPs:

T1606.002 - SAML Tokens
T1199 - Trusted Relationship
T1218.010 - Regsvr32

MITREへのリンク →

Moses Staff

Score: 4.41

Matched TTPs:

T1606.002 - SAML Tokens
T1140 - Deobfuscate/Decode Files or Information
T1199 - Trusted Relationship

MITREへのリンク →

Turla

Score: 5.40

Matched TTPs:

T1606.002 - SAML Tokens
T1136.002 - Domain Account
T1199 - Trusted Relationship

MITREへのリンク →

Ke3chang

Score: 4.41

Matched TTPs:

T1606.002 - SAML Tokens
T1140 - Deobfuscate/Decode Files or Information
T1199 - Trusted Relationship

MITREへのリンク →

Mustang Panda

Score: 20.98

Matched TTPs:

T1606.002 - SAML Tokens
T1091 - Replication Through Removable Media
T1169 - Sudo
T1199 - Trusted Relationship
T1218.010 - Regsvr32
T1526 - Cloud Service Discovery
T1055.005 - Thread Local Storage
T1556 - Modify Authentication Process

MITREへのリンク →

TeamTNT

Score: 4.07

Matched TTPs:

T1606.002 - SAML Tokens
T1091 - Replication Through Removable Media

MITREへのリンク →

FIN7

Score: 13.85

Matched TTPs:

T1606.002 - SAML Tokens
T1091 - Replication Through Removable Media
T1140 - Deobfuscate/Decode Files or Information
T1011.001 - Exfiltration Over Bluetooth
T1199 - Trusted Relationship
T1573 - Encrypted Channel

MITREへのリンク →

TA2541

Score: 5.28

Matched TTPs:

T1091 - Replication Through Removable Media
T1136.002 - Domain Account
T1199 - Trusted Relationship

MITREへのリンク →

Earth Lusca

Score: 6.75

Matched TTPs:

T1091 - Replication Through Removable Media
T1140 - Deobfuscate/Decode Files or Information
T1136.002 - Domain Account
T1199 - Trusted Relationship

MITREへのリンク →

Mustard Tempest

Score: 6.51

Matched TTPs:

T1091 - Replication Through Removable Media
T1543.002 - Systemd Service

MITREへのリンク →

LazyScripter

Score: 4.43

Matched TTPs:

T1091 - Replication Through Removable Media
T1136.002 - Domain Account

MITREへのリンク →

Gamaredon Group

Score: 6.44

Matched TTPs:

T1091 - Replication Through Removable Media
T1199 - Trusted Relationship
T1059.013 - Container CLI/API

MITREへのリンク →

Threat Group-3390

Score: 11.87

Matched TTPs:

T1091 - Replication Through Removable Media
T1140 - Deobfuscate/Decode Files or Information
T1199 - Trusted Relationship
T1573 - Encrypted Channel
T1218.010 - Regsvr32
T1526 - Cloud Service Discovery

MITREへのリンク →

TA505

Score: 5.28

Matched TTPs:

T1091 - Replication Through Removable Media
T1136.002 - Domain Account
T1199 - Trusted Relationship

MITREへのリンク →

BlackByte

Score: 3.44

Matched TTPs:

T1091 - Replication Through Removable Media
T1140 - Deobfuscate/Decode Files or Information

MITREへのリンク →

BITTER

Score: 4.32

Matched TTPs:

T1091 - Replication Through Removable Media
T1199 - Trusted Relationship
T1218.010 - Regsvr32

MITREへのリンク →

APT32

Score: 10.35

Matched TTPs:

T1091 - Replication Through Removable Media
T1199 - Trusted Relationship
T1174 - Password Filter DLL
T1218.010 - Regsvr32
T1556 - Modify Authentication Process

MITREへのリンク →

Saint Bear

Score: 3.47

Matched TTPs:

T1091 - Replication Through Removable Media
T1218.010 - Regsvr32

MITREへのリンク →

EXOTIC LILY

Score: 5.99

Matched TTPs:

T1091 - Replication Through Removable Media
T1218.010 - Regsvr32
T1547.008 - LSASS Driver

MITREへのリンク →

APT42

Score: 6.44

Matched TTPs:

T1091 - Replication Through Removable Media
T1199 - Trusted Relationship
T1132.002 - Non-Standard Encoding

MITREへのリンク →

Ember Bear

Score: 13.40

Matched TTPs:

T1005 - Data from Local System
T1140 - Deobfuscate/Decode Files or Information
T1136.002 - Domain Account
T1218.010 - Regsvr32
T1003.003 - NTDS

MITREへのリンク →

Rocke

Score: 5.09

Matched TTPs:

T1140 - Deobfuscate/Decode Files or Information
T1059.013 - Container CLI/API

MITREへのリンク →

APT28

Score: 8.35

Matched TTPs:

T1140 - Deobfuscate/Decode Files or Information
T1199 - Trusted Relationship
T1548.004 - Elevated Execution with Prompt
T1218.010 - Regsvr32

MITREへのリンク →

BackdoorDiplomacy

Score: 4.78

Matched TTPs:

T1140 - Deobfuscate/Decode Files or Information
T1136.002 - Domain Account
T1199 - Trusted Relationship

MITREへのリンク →

GOLD SOUTHFIELD

Score: 4.40

Matched TTPs:

T1140 - Deobfuscate/Decode Files or Information
T1573 - Encrypted Channel

MITREへのリンク →

BlackTech

Score: 6.96

Matched TTPs:

T1140 - Deobfuscate/Decode Files or Information
T1199 - Trusted Relationship
T1218.010 - Regsvr32
T1526 - Cloud Service Discovery

MITREへのリンク →

Magic Hound

Score: 8.69

Matched TTPs:

T1140 - Deobfuscate/Decode Files or Information
T1199 - Trusted Relationship
T1187 - Forced Authentication
T1547.008 - LSASS Driver

MITREへのリンク →

Medusa Group

Score: 8.46

Matched TTPs:

T1140 - Deobfuscate/Decode Files or Information
T1552.003 - Shell History
T1199 - Trusted Relationship
T1216 - System Script Proxy Execution

MITREへのリンク →

Sea Turtle

Score: 11.97

Matched TTPs:

T1140 - Deobfuscate/Decode Files or Information
T1199 - Trusted Relationship
T1218.010 - Regsvr32
T1685 - Disable or Modify Tools
T1059.013 - Container CLI/API

MITREへのリンク →

Storm-0501

Score: 7.61

Matched TTPs:

T1140 - Deobfuscate/Decode Files or Information
T1574.008 - Path Interception by Search Order Hijacking
T1552.003 - Shell History

MITREへのリンク →

Cinnamon Tempest

Score: 8.46

Matched TTPs:

T1140 - Deobfuscate/Decode Files or Information
T1574.008 - Path Interception by Search Order Hijacking
T1552.003 - Shell History
T1199 - Trusted Relationship

MITREへのリンク →

menuPass

Score: 5.60

Matched TTPs:

T1140 - Deobfuscate/Decode Files or Information
T1199 - Trusted Relationship
T1174 - Password Filter DLL

MITREへのリンク →

ToddyCat

Score: 3.99

Matched TTPs:

T1140 - Deobfuscate/Decode Files or Information
T1547.008 - LSASS Driver

MITREへのリンク →

GALLIUM

Score: 5.60

Matched TTPs:

T1140 - Deobfuscate/Decode Files or Information
T1199 - Trusted Relationship
T1174 - Password Filter DLL

MITREへのリンク →

INC Ransom

Score: 4.84

Matched TTPs:

T1140 - Deobfuscate/Decode Files or Information
T1552.003 - Shell History
T1199 - Trusted Relationship

MITREへのリンク →

Dragonfly

Score: 6.74

Matched TTPs:

T1140 - Deobfuscate/Decode Files or Information
T1199 - Trusted Relationship
T1573 - Encrypted Channel
T1218.010 - Regsvr32

MITREへのリンク →

APT41

Score: 10.36

Matched TTPs:

T1140 - Deobfuscate/Decode Files or Information
T1574.008 - Path Interception by Search Order Hijacking
T1199 - Trusted Relationship
T1573 - Encrypted Channel
T1218.010 - Regsvr32

MITREへのリンク →

MuddyWater

Score: 7.43

Matched TTPs:

T1140 - Deobfuscate/Decode Files or Information
T1199 - Trusted Relationship
T1218.010 - Regsvr32
T1059.013 - Container CLI/API

MITREへのリンク →

LAPSUS$

Score: 6.93

Matched TTPs:

T1136.002 - Domain Account
T1199 - Trusted Relationship
T1132.002 - Non-Standard Encoding

MITREへのリンク →

Metador

Score: 3.31

Matched TTPs:

T1136.002 - Domain Account
T1199 - Trusted Relationship

MITREへのリンク →

APT1

Score: 3.31

Matched TTPs:

T1136.002 - Domain Account
T1199 - Trusted Relationship

MITREへのリンク →

Aquatic Panda

Score: 3.31

Matched TTPs:

T1136.002 - Domain Account
T1199 - Trusted Relationship

MITREへのリンク →

Andariel

Score: 7.80

Matched TTPs:

T1136.002 - Domain Account
T1187 - Forced Authentication
T1218.010 - Regsvr32

MITREへのリンク →

Scattered Spider

Score: 5.83

Matched TTPs:

T1136.002 - Domain Account
T1552.003 - Shell History
T1199 - Trusted Relationship

MITREへのリンク →

Wizard Spider

Score: 6.75

Matched TTPs:

T1199 - Trusted Relationship
T1526 - Cloud Service Discovery
T1556 - Modify Authentication Process

MITREへのリンク →

Storm-1811

Score: 3.37

Matched TTPs:

T1199 - Trusted Relationship
T1547.008 - LSASS Driver

MITREへのリンク →

FIN8

Score: 6.75

Matched TTPs:

T1199 - Trusted Relationship
T1526 - Cloud Service Discovery
T1556 - Modify Authentication Process

MITREへのリンク →

FIN6

Score: 6.12

Matched TTPs:

T1199 - Trusted Relationship
T1547.008 - LSASS Driver
T1556 - Modify Authentication Process

MITREへのリンク →

Cobalt Group

Score: 5.27

Matched TTPs:

T1199 - Trusted Relationship
T1573 - Encrypted Channel
T1218.010 - Regsvr32

MITREへのリンク →

Thrip

Score: 3.60

Matched TTPs:

T1199 - Trusted Relationship
T1556 - Modify Authentication Process

MITREへのリンク →

APT38

Score: 12.29

Matched TTPs:

T1199 - Trusted Relationship
T1174 - Password Filter DLL
T1059.005 - Visual Basic
T1216 - System Script Proxy Execution

MITREへのリンク →

APT33

Score: 5.09

Matched TTPs:

T1199 - Trusted Relationship
T1218.010 - Regsvr32
T1556 - Modify Authentication Process

MITREへのリンク →

Chimera

Score: 4.47

Matched TTPs:

T1199 - Trusted Relationship
T1132.002 - Non-Standard Encoding

MITREへのリンク →

Daggerfly

Score: 6.21

Matched TTPs:

T1573 - Encrypted Channel
T1174 - Password Filter DLL

MITREへのリンク →

APT37

Score: 5.12

Matched TTPs:

T1218.010 - Regsvr32
T1216 - System Script Proxy Execution

MITREへのリンク →

Equation

Score: 4.13

Matched TTPs:

T1130 - Install Root Certificate

MITREへのリンク →

Strider

Score: 4.13

Matched TTPs:

T1130 - Install Root Certificate

MITREへのリンク →

このPulseに関連する脅威アクター (推論ベース)

Kimsuky

Score: 0.78

Matched TTPs:

T1199 - Trusted Relationship
T1132.002 - Non-Standard Encoding
T1526 - Cloud Service Discovery
T1126 - Network Share Connection Removal
T1091 - Replication Through Removable Media
T1606.002 - SAML Tokens
T1140 - Deobfuscate/Decode Files or Information
T1003.003 - NTDS
T1552.003 - Shell History

MITREへのリンク →

Mustang Panda

Score: 0.73

Matched TTPs:

T1199 - Trusted Relationship
T1055.005 - Thread Local Storage
T1556 - Modify Authentication Process
T1526 - Cloud Service Discovery
T1169 - Sudo
T1091 - Replication Through Removable Media
T1606.002 - SAML Tokens
T1218.010 - Regsvr32

MITREへのリンク →

Lazarus Group

Score: 0.70

Matched TTPs:

T1199 - Trusted Relationship
T1216 - System Script Proxy Execution
T1055.005 - Thread Local Storage
T1556 - Modify Authentication Process
T1174 - Password Filter DLL
T1547.008 - LSASS Driver
T1606.002 - SAML Tokens
T1218.010 - Regsvr32

MITREへのリンク →

Sandworm Team

Score: 0.65

Matched TTPs:

T1199 - Trusted Relationship
T1573 - Encrypted Channel
T1005 - Data from Local System
T1091 - Replication Through Removable Media
T1606.002 - SAML Tokens
T1140 - Deobfuscate/Decode Files or Information
T1218.010 - Regsvr32
T1187 - Forced Authentication

MITREへのリンク →

OilRig

Score: 0.64

Matched TTPs:

T1199 - Trusted Relationship
T1556 - Modify Authentication Process
T1526 - Cloud Service Discovery
T1005 - Data from Local System
T1091 - Replication Through Removable Media
T1606.002 - SAML Tokens
T1547.008 - LSASS Driver
T1218.010 - Regsvr32

MITREへのリンク →

Contagious Interview

Score: 0.58

Matched TTPs:

T1199 - Trusted Relationship
T1556 - Modify Authentication Process
T1126 - Network Share Connection Removal
T1091 - Replication Through Removable Media
T1606.002 - SAML Tokens
T1547.008 - LSASS Driver
T1552.003 - Shell History

MITREへのリンク →

FIN7

Score: 0.58

Matched TTPs:

T1199 - Trusted Relationship
T1573 - Encrypted Channel
T1091 - Replication Through Removable Media
T1606.002 - SAML Tokens
T1011.001 - Exfiltration Over Bluetooth
T1140 - Deobfuscate/Decode Files or Information

MITREへのリンク →

Related CVEs

このPulseに見つかったCVEはありません。

Pulse – 脅威アクターグラフ

← Pulse一覧に戻る