FrameworkPOS.acc: New variant of FrameworkPOS Uses DNS requests to deliver stolen card data to the attackers (Mar 1,2016)
The Dell Sonicwall Threats Research team observed reports of a new variant POS family named GAV: FrameworkPOS.AAC actively spreading in the wild. FrameworkPOS malware affecting point-of-sale systems has been discovered to rely on DNS requests to deliver stolen card data to the attackers.
![](http://software.sonicwall.com/gav/FrameworkPOS_files/image001.png)
Infection Cycle:
Md5:
feac3bef63d95f2e3c0fd6769635c30b Detected as GAV: FrameworkPOS.AAC (Trojan)
The Trojan adds the following keys to the Windows registry to ensure persistence upon reboot:
-
HKEY_LOCAL_MACHINESYSTEMCurrentControlSetServicesLogMeInServer
-
ImagePath”=”%Userprofile%Malware.exe -service
-
![](http://software.sonicwall.com/gav/FrameworkPOS_files/image002.png)
FrameworkPOS retrieves a list of running processes; the malware is responsible for scraping the memory of current processes on the infected machine for credit card information periodically.
![](http://software.sonicwall.com/gav/FrameworkPOS_files/image003.png)
The Malware has an exclusion list that functions to ignore certain system processes; it gathers track data by scanning the memory of the all running processes except for the following List:
![](http://software.sonicwall.com/gav/FrameworkPOS_files/image004.png)
The malware tries to Enumerate Credit Card Data from POS Software. The hackers use the following API functions such as:
-
CreateToolhelp32Snapshot
-
Process32First
-
Process32Next
-
OpenProcess
![](http://software.sonicwall.com/gav/FrameworkPOS_files/image005.png)
The malware generates two files dspsvc.bid and [Random Name].dat
![](http://software.sonicwall.com/gav/FrameworkPOS_files/image006.png)
The dspsvc.bid file contains bot Campaign Id and the .dat file contains encrypted Credit Card information such as following example:
![](http://software.sonicwall.com/gav/FrameworkPOS_files/image007.png)
The malware sends a HTTP request to an external server and the server responds with the victim’s public IP address.
![](http://software.sonicwall.com/gav/FrameworkPOS_files/image008.png)
Once the public IP is acquired, then the malware tries to verify Credit Cards and then sends track 1 and track 2 credit card data in encrypted format to one of the given C&C Servers based on DNS Traffic format such as following example:
![](http://software.sonicwall.com/gav/FrameworkPOS_files/image009.png)
Command and Control (C&C) Traffic
FrameworkPOS performs C&C communication over DNS protocol.
The malware sends your Credit Card information to its own C&C server via following format, here are some examples:
![](http://software.sonicwall.com/gav/FrameworkPOS_files/image010.png)
![](http://software.sonicwall.com/gav/FrameworkPOS_files/image011.png)
SonicWALL Gateway AntiVirus provides protection against this threat via the following signature:
-
GAV: FrameworkPOS.AAC