GratefulPOS (4cfe3f22-96b8-4d3d-a6cc-85835d9471e2)
GratefulPOS has the following functions 1. Access arbitrary processes on the target POS system 2. Scrape track 1 and 2 payment card data from the process(es) 3. Exfiltrate the payment card data via lengthy encoded and obfuscated DNS queries to a hardcoded domain registered and controlled by the perpetrators, similar to that described by Paul Rascagneres in his analysis of FrameworkPOS in 2014[iii], and more recently by Luis Mendieta of Anomoli in analysis of a precursor to this sample.
Cluster A | Galaxy A | Cluster B | Galaxy B | Level |
---|---|---|---|---|
GratefulPOS (7d9362e5-e3cf-4640-88a2-3faf31952963) | Banker | GratefulPOS (4cfe3f22-96b8-4d3d-a6cc-85835d9471e2) | Tool | 1 |