14 DAY TRIAL // A new version of FrameworkPoS has been detected in the wild by security researchers from Trustwave, one that has some new features but also some weird behavior.
FrameworkPoS is an old PoS (Point of Sale) malware piece, which many security experts think may have been behind the huge Home Depot data breach that leaked the details of 56 million payment cards.
Security researchers are constantly detecting new versions of this malware family, and the most recent update shows that FrameworkPoS authors are on their way to giving the malware a complete overhaul.
Old dog, new tricks
While some parts remained the same, like its encoding routines, DNS-based exfiltration mechanism, and memory scraping process blacklisting feature, this new version also comes with some major changes.
"Previous versions of FrameworkPoS were installed as a service in an attempt to hide and persist on victim systems," explained Eric Merritt from Trustwave's SpiderLabs. "This version uses two PowerShell scripts, which can inject either a 32-bit or 64-bit version of the malware into memory."
By moving the malware into memory, its operators are making it harder to detect by never exposing its binaries on disk, a place where antivirus software roams in search of any new threats.
This major change of modus operandi leads us to believe the malware is about to mutate in a major way, but not with this version.
FrameworkPoS, the Frankenstein version
As Trustwave researchers explain, "this variant has a very Frankenstein feel to it," referring to the numerous fragments of code stitched together, but from where only a few lines are actually used.
This seems like an alpha-stage version of the malware, one where its creators have not gone through the source to remove any dead code that's not being used anymore, either copy-pasted from other malware or previous FrameworkPoS versions.
Additionally, our theory of this being an intermediary version between major FrameworkPoS releases is also backed up by a weird behavior in the malware's operations.
According to Trustwave, every time the malware detects a payment card number, instead of stealing it directly, it also checks it against a set of rules, using some credit card number filters hardcoded in its source.
This behavior makes no sense for a piece of PoS malware and seems to be another patch of unnecessary code left behind by the malware's creators.
Unfortunately, this behavior doesn't make the malware less efficient, and FrameworkPoS remains a dangerous threat to upcoming holiday shopping sprees.