Blog

Anomali Labs: Evidence of a New Framework POS Campaign

Luis Mendieta

May 24, 2016

Table of contents

<p>Anomali labs research team has come across a new FrameworkPOS campaign that seems to be slowly picking up. This campaign although is not as big as the former ones found during our initial research still gives us clues about how active the actors behind this activity are.</p><h4>Samples observed During the research</h4><table width="100%"><tbody><tr><th>HASH</th><th>C2-domain</th><th>C2-ip</th><th>Compile Time</th><th>AV hits</th><th>First observed</th></tr><tr><td>f52d927a41c6a201af49f4ba0e95343a</td><td>a23-33-37-54-deploy-akamaitechnologies[.]com</td><td>23.33.37.54</td><td>2015-07-20 13:11:25</td><td>6/56</td><td>2016-05-17 15:00</td></tr><tr><td>8bd8b0b1dc04a125b2aa777bf96573ec</td><td>a193-45-3-47-deploy-akamaitechnologies[.]com</td><td>193.45.3.47</td><td>2015-12-05 09:24:44</td><td>5/57</td><td>2016-04-05 10:15</td></tr></tbody></table><h4>Sample analysis</h4><p>The samples that were analyzed havent changed from former campaigns. The artifacts and system behavior remained the same. refer to the following link for detailed analysis on <a href="https://ui.threatstream.com/tip/3329?__hstc=41179005.2767d93d6471d657e0c9f660e4b58ef8.1456736058655.1478831861868.1478887113345.180&__hssc=41179005.22.1478887113345&__hsfp=1335165674" target="_blank">[Threat Bulletin 3329] A detailed overview of frameworkPOS malware</a></p><h4>Campaign Analysis</h4><p>A detailed overview of former frameworkPOS campaigns can be observed in <a href="https://ui.threatstream.com/tip/3367?__hstc=41179005.2767d93d6471d657e0c9f660e4b58ef8.1456736058655.1478831861868.1478887113345.180&__hssc=41179005.22.1478887113345&__hsfp=1335165674" target="_blank">[Threat Bulletin 3367] FrameworkPOS Malware Campaign Analysis</a>. In this previous Threat Buletin we identified possible C2 domains of a23-33-37-54-deploy-akamaitechnologies[.]com and a193-45-3-47-deploy-akamaitechnologies[.]com, but at the time we had no samples that used them and could not find any DNS event activity. The new campaign observed follows the same naming convention as the former ones. The new campaign name is <code>gpr1</code>. This campaign seems to have nabbed around 300 creditcard records from two victims so far. One of the victims is possibly and SMB based in honolulu hawaii and the other one based on Chicago.</p><h4>Observations on the victim data</h4><p>Anomali labs had the opportunity to analyze the credit card data that was compromised by the actors. One of the interesting aspects of the data was that only track 2 data was found. In other campaigns we observed there was track 1 data present as well. See figure 0:</p><p><img src="https://cdn.filestackcontent.com/5lT3V75QKGSDTjOv6Ev0"/></p><h4>Possible Timeframe of Exfils</h4><p><img src="https://cdn.filestackcontent.com/8WIfq6OJRxq6B842XL6I"/></p><p>Timeline above illustrate the timeframe in which the domains were first registered and the relationship with the exfils that occurred. The earliest domain registration which is dated 7/17/15 is directly related with the exfil operation in 8/9/15. On the other hand the second domain which was registered 12/11/15 can be directly related with the exfil operation that happened around 3/22/16.</p><p>During the lifecycle of this research Anomali labs noticed a few references to POS a software named ALOHA. This could mean two things.</p><ol><li><p>This POS software is very popular and it just happen to be on the compromised terminals.</p></li><li><p>The actors are actively targeting this specific platform. These two questions will be answered as Anomali labs advances its research on this specific threat.</p><h4>Conclusion</h4><p>FrameworkPOS has been dormant during the past few months. However, this campaign shows the actor behind this malware are active and well. Anomali labs will continue to monitor for this activity in order to look for new developments.</p></li></ol>

Luis Mendieta

Luis Mendieta is a former Senior Security Researcher at Anomali.