GratefulPOS is a point-of-sale (PoS) malware variant of FrameworkPOS that shares some code with other PoS malware families. The malware is designed to exfiltrate payment card data from processes used by PoS systems running Windows 7 or later. It has no C2 capability but rather relies on the perpetrator using other means of access to install and execute the malware on the system.

GratefulPOS is capable of the following:

  • Accessing arbitrary processes on the target POS system
  • Scraping track 1 and 2 payment card data
  • Exfiltrating the data via encoded and obfuscated DNS queries to a hard-coded domain that is registered and controlled by the perpetrators

The DNS exfiltration method effectively bypasses firewalls and circumvents PoS system controls designed to block direct access to the internet from the PoS system. Even if the infected PoS system is set up to send the exfiltrated payment card data to an internal DNS server, that internal DNS server would likely send that data outside the network to the attacker thereby eliminating the need for a direct internet connection by the infected PoS system. GratefulPOS will only work against PoS systems in which merchants have not deployed hardware-enabled point-to-point encryption of payment card data and those still accepting magnetic strip swipe cards rather than Chip-and-PIN/EMV cards.

Technical Details

  • RSA provides additional technical details and IoCs for GratefulPOS here.