SYMBOLCOMMON_NAMEaka. SYNONYMS
win.grateful_pos (Back to overview)

Grateful POS

aka: FrameworkPOS, SCRAPMINT, trinity

Actor(s): Skeleton Spider, FIN6


POS malware targets systems that run physical point-of-sale device and operates by inspecting the process memory for data that matches the structure of credit card data (Track1 and Track2 data), such as the account number, expiration date, and other information stored on a card’s magnetic stripe. After the cards are first scanned, the personal account number (PAN) and accompanying data sit in the point-of-sale system’s memory unencrypted while the system determines where to send it for authorization.
Masked as the LogMein software, the GratefulPOS malware appears to have emerged during the fall 2017 shopping season with low detection ratio according to some of the earliest detections displayed on VirusTotal. The first sample was upload in November 2017. Additionally, this malware appears to be related to the Framework POS malware, which was linked to some of the high-profile merchant breaches in the past.

References
2020-03-03PWC UKPWC UK
@techreport{uk:20200303:cyber:1f1eef0, author = {PWC UK}, title = {{Cyber Threats 2019:A Year in Retrospect}}, date = {2020-03-03}, institution = {PWC UK}, url = {https://www.pwc.co.uk/cyber-security/assets/cyber-threats-2019-retrospect.pdf}, language = {English}, urldate = {2020-03-03} } Cyber Threats 2019:A Year in Retrospect
KevDroid MESSAGETAP magecart AndroMut Cobalt Strike CobInt Crimson RAT DNSpionage Dridex Dtrack Emotet FlawedAmmyy FlawedGrace FriedEx Gandcrab Get2 GlobeImposter Grateful POS ISFB Kazuar LockerGoga Nokki QakBot Ramnit REvil Rifdoor RokRAT Ryuk shadowhammer ShadowPad Shifu Skipper StoneDrill Stuxnet TrickBot Winnti ZeroCleare Axiom
2020-02-19FireEyeFireEye
@online{fireeye:20200219:mtrends:193613a, author = {FireEye}, title = {{M-Trends 2020}}, date = {2020-02-19}, organization = {FireEye}, url = {https://content.fireeye.com/m-trends/rpt-m-trends-2020}, language = {English}, urldate = {2020-02-20} } M-Trends 2020
Cobalt Strike Grateful POS LockerGoga QakBot TrickBot
2020-02-13QianxinQi Anxin Threat Intelligence Center
@techreport{center:20200213:report:146d333, author = {Qi Anxin Threat Intelligence Center}, title = {{APT Report 2019}}, date = {2020-02-13}, institution = {Qianxin}, url = {https://ti.qianxin.com/uploads/2020/02/13/cb78386a082f465f259b37dae5df4884.pdf}, language = {English}, urldate = {2020-02-27} } APT Report 2019
Chrysaor Exodus Dacls elf.vpnfilter DNSRat Griffon KopiLuwak More_eggs SQLRat AppleJeus BONDUPDATER Agent.BTZ Anchor AndroMut AppleJeus BOOSTWRITE Brambul Carbanak Cobalt Strike Dacls DistTrack DNSpionage Dtrack ELECTRICFISH FlawedAmmyy FlawedGrace Get2 Grateful POS HOPLIGHT Imminent Monitor RAT jason Joanap KerrDown KEYMARBLE Lambert LightNeuron LoJax MiniDuke PolyglotDuke PowerRatankba Rising Sun SDBbot ServHelper Snatch Stuxnet TinyMet tRat TrickBot Volgmer X-Agent Zebrocy
2019-12-23Norfolk
@online{norfolk:20191223:pos:5862d6d, author = {Norfolk}, title = {{POS Malware Used at Fuel Pumps}}, date = {2019-12-23}, url = {https://norfolkinfosec.com/pos-malware-used-at-fuel-pumps/}, language = {English}, urldate = {2020-01-07} } POS Malware Used at Fuel Pumps
Grateful POS
2019-12VISAVisa Security Alert
@techreport{alert:201912:cybercrime:b12d39c, author = {Visa Security Alert}, title = {{Cybercrime Groups (FIN8) Targeting Fuel Dispenser Merchants}}, date = {2019-12}, institution = {VISA}, url = {https://usa.visa.com/dam/VCOM/global/support-legal/documents/cybercrime-groups-targeting-fuel-dispenser-merchants.pdf}, language = {English}, urldate = {2020-07-23} } Cybercrime Groups (FIN8) Targeting Fuel Dispenser Merchants
Grateful POS
2019-05-01Red CanaryTony Lambert
@online{lambert:20190501:frameworkpos:376a823, author = {Tony Lambert}, title = {{FrameworkPOS and the adequate persistent threat}}, date = {2019-05-01}, organization = {Red Canary}, url = {https://redcanary.com/blog/frameworkpos-and-the-adequate-persistent-threat/}, language = {English}, urldate = {2020-01-29} } FrameworkPOS and the adequate persistent threat
Grateful POS
2017-12-13Vitali Kremez BlogVitali Kremez
@online{kremez:20171213:update:50a1f16, author = {Vitali Kremez}, title = {{Update: Let's Learn: Reversing FIN6 "GratefulPOS" aka "FrameworkPOS" Point-of-Sale Malware in-Depth}}, date = {2017-12-13}, organization = {Vitali Kremez Blog}, url = {http://www.vkremez.com/2017/12/lets-learn-reversing-grateful-point-of.html}, language = {English}, urldate = {2020-01-08} } Update: Let's Learn: Reversing FIN6 "GratefulPOS" aka "FrameworkPOS" Point-of-Sale Malware in-Depth
Grateful POS
2017-12-08RSAKent Beckman
@online{beckman:20171208:gratefulpos:0ba1053, author = {Kent Beckman}, title = {{GratefulPOS credit card stealing malware - just in time for the shopping season}}, date = {2017-12-08}, organization = {RSA}, url = {https://community.rsa.com/community/products/netwitness/blog/2017/12/08/gratefulpos-credit-card-stealing-malware-just-in-time-for-the-shopping-season}, language = {English}, urldate = {2020-01-08} } GratefulPOS credit card stealing malware - just in time for the shopping season
Grateful POS
2016-04FireEyeFireEye
@techreport{fireeye:201604:follow:5df2e81, author = {FireEye}, title = {{Follow the Money: Dissecting the Operations of the Cyber Crime Group FIN6}}, date = {2016-04}, institution = {FireEye}, url = {https://www2.fireeye.com/rs/848-DID-242/images/rpt-fin6.pdf}, language = {English}, urldate = {2020-04-23} } Follow the Money: Dissecting the Operations of the Cyber Crime Group FIN6
Grateful POS FIN6
Yara Rules
[TLP:WHITE] win_grateful_pos_auto (20201014 | autogenerated rule brought to you by yara-signator)
rule win_grateful_pos_auto {

    meta:
        author = "Felix Bilstein - yara-signator at cocacoding dot com"
        date = "2020-10-14"
        version = "1"
        description = "autogenerated rule brought to you by yara-signator"
        tool = "yara-signator v0.5.0"
        tool_config = "callsandjumps;datarefs;binvalue"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.grateful_pos"
        malpedia_rule_date = "20201014"
        malpedia_hash = "a7e3bd57eaf12bf3ea29a863c041091ba3af9ac9"
        malpedia_version = "20201014"
        malpedia_license = "CC BY-SA 4.0"
        malpedia_sharing = "TLP:WHITE"

    /* DISCLAIMER
     * The strings used in this rule have been automatically selected from the
     * disassembly of memory dumps and unpacked files, using YARA-Signator.
     * The code and documentation is published here:
     * https://github.com/fxb-cocacoding/yara-signator
     * As Malpedia is used as data source, please note that for a given
     * number of families, only single samples are documented.
     * This likely impacts the degree of generalization these rules will offer.
     * Take the described generation method also into consideration when you
     * apply the rules in your use cases and assign them confidence levels.
     */


    strings:
        $sequence_0 = { 7407 b8f6ffffff eb02 33c0 }
            // n = 4, score = 600
            //   7407                 | je                  9
            //   b8f6ffffff           | mov                 eax, 0xfffffff6
            //   eb02                 | jmp                 4
            //   33c0                 | xor                 eax, eax

        $sequence_1 = { 7411 e8???????? e8???????? 33c0 e9???????? }
            // n = 5, score = 600
            //   7411                 | je                  0x13
            //   e8????????           |                     
            //   e8????????           |                     
            //   33c0                 | xor                 eax, eax
            //   e9????????           |                     

        $sequence_2 = { e8???????? 83f801 7510 e8???????? e8???????? }
            // n = 5, score = 600
            //   e8????????           |                     
            //   83f801               | cmp                 eax, 1
            //   7510                 | jne                 0x12
            //   e8????????           |                     
            //   e8????????           |                     

        $sequence_3 = { e8???????? 99 b980ee3600 f7f9 }
            // n = 4, score = 600
            //   e8????????           |                     
            //   99                   | cdq                 
            //   b980ee3600           | mov                 ecx, 0x36ee80
            //   f7f9                 | idiv                ecx

        $sequence_4 = { 3c5c 7404 3c2f 7509 }
            // n = 4, score = 600
            //   3c5c                 | cmp                 al, 0x5c
            //   7404                 | je                  6
            //   3c2f                 | cmp                 al, 0x2f
            //   7509                 | jne                 0xb

        $sequence_5 = { b8feffffff eb1a b8fdffffff eb13 }
            // n = 4, score = 600
            //   b8feffffff           | mov                 eax, 0xfffffffe
            //   eb1a                 | jmp                 0x1c
            //   b8fdffffff           | mov                 eax, 0xfffffffd
            //   eb13                 | jmp                 0x15

        $sequence_6 = { eb07 b8fcffffff eb02 33c0 }
            // n = 4, score = 600
            //   eb07                 | jmp                 9
            //   b8fcffffff           | mov                 eax, 0xfffffffc
            //   eb02                 | jmp                 4
            //   33c0                 | xor                 eax, eax

        $sequence_7 = { b8fdffffff eb13 b8fcffffff eb0c }
            // n = 4, score = 600
            //   b8fdffffff           | mov                 eax, 0xfffffffd
            //   eb13                 | jmp                 0x15
            //   b8fcffffff           | mov                 eax, 0xfffffffc
            //   eb0c                 | jmp                 0xe

        $sequence_8 = { 50 e8???????? 83c404 8d4db4 51 8d9574f9ffff }
            // n = 6, score = 500
            //   50                   | add                 eax, dword ptr [ebp - 0x20008]
            //   e8????????           |                     
            //   83c404               | xor                 edx, edx
            //   8d4db4               | mov                 ecx, 8
            //   51                   | div                 ecx
            //   8d9574f9ffff         | push                eax

        $sequence_9 = { 83f830 7c13 8b8dd4fbffff 0fb6940de4fbffff 83fa7a 7e39 }
            // n = 6, score = 500
            //   83f830               | mov                 eax, dword ptr [ebp - 0x20008]
            //   7c13                 | cmp                 eax, dword ptr [ebp - 0x20018]
            //   8b8dd4fbffff         | jae                 0x340
            //   0fb6940de4fbffff     | cdq                 
            //   83fa7a               | cmp                 eax, 0x30
            //   7e39                 | jl                  0x18

        $sequence_10 = { 0385f8fffdff 50 8b4d08 8b11 52 }
            // n = 5, score = 500
            //   0385f8fffdff         | lea                 eax, [ecx + edx + 1]
            //   50                   | push                eax
            //   8b4d08               | mov                 ecx, dword ptr [ebp - 0x43c]
            //   8b11                 | lea                 edx, [ebp + ecx - 0x41c]
            //   52                   | add                 eax, dword ptr [ebp - 0x20008]

        $sequence_11 = { 68???????? 8b85e0fbffff 83e810 50 }
            // n = 4, score = 500
            //   68????????           |                     
            //   8b85e0fbffff         | mov                 ecx, dword ptr [ebp - 0x42c]
            //   83e810               | movzx               edx, byte ptr [ebp + ecx - 0x41c]
            //   50                   | cmp                 edx, 0x7a

        $sequence_12 = { 8d441101 50 8b8dc4fbffff 8d940de4fbffff }
            // n = 4, score = 500
            //   8d441101             | add                 esp, 4
            //   50                   | lea                 ecx, [ebp - 0x4c]
            //   8b8dc4fbffff         | push                ecx
            //   8d940de4fbffff       | lea                 edx, [ebp - 0x68c]

        $sequence_13 = { 8b7810 8b85f4fffdff 0385f8fffdff 33d2 b908000000 f7f1 }
            // n = 6, score = 500
            //   8b7810               | mov                 edi, eax
            //   8b85f4fffdff         | xor                 eax, eax
            //   0385f8fffdff         | mov                 ecx, 0xff
            //   33d2                 | rep stosb           byte ptr es:[edi], al
            //   b908000000           | mov                 edi, dword ptr [eax + 0x10]
            //   f7f1                 | mov                 eax, dword ptr [ebp - 0x2000c]

        $sequence_14 = { 8b85f8fffdff 3b85e8fffdff 0f833a030000 e8???????? 99 }
            // n = 5, score = 500
            //   8b85f8fffdff         | mov                 eax, dword ptr [ebp - 0x414]
            //   3b85e8fffdff         | mov                 dword ptr [ebp - 0x408], eax
            //   0f833a030000         | mov                 ecx, dword ptr [ebp - 0x434]
            //   e8????????           |                     
            //   99                   | add                 ecx, dword ptr [ebp - 0x428]

        $sequence_15 = { 8b95f8fbffff 89511c 8b85ecfbffff 8985f8fbffff 8b8dccfbffff 038dd8fbffff }
            // n = 6, score = 500
            //   8b95f8fbffff         | push                eax
            //   89511c               | mov                 ecx, dword ptr [ebp + 8]
            //   8b85ecfbffff         | mov                 edx, dword ptr [ecx]
            //   8985f8fbffff         | push                edx
            //   8b8dccfbffff         | mov                 edx, dword ptr [ebp - 0x408]
            //   038dd8fbffff         | mov                 dword ptr [ecx + 0x1c], edx

    condition:
        7 of them and filesize < 3964928
}
Download all Yara Rules