GOLD FRANKLIN

GOLD FRANKLIN is a financially motivated cybercriminal threat group active since 2012 that targets payment card data. GOLD FRANKLIN engages in targeted breaches frequently against retail, hospitality, and food services organizations in the United States that process large quantities of payment card data. They use the custom FrameworkPOS malware to target this data as it traverses memory on point of sale (POS) terminals and back of house (BOH) systems. Stolen data is stored in encoded form on the compromised terminals and periodically exfiltrated by the threat actors. GOLD FRANKLIN has also used the Magecart JavaScript-based skimming system to target eCommerce websites to perpetrate card not present (CNP) fraud.

GOLD FRANKLIN relies heavily on widely available post-exploitation tools like Metasploit, PowerSploit, and PowerUpSQL during intrusion activity. Stolen payment card data is later monetized by the group, sold to intermediaries, or sold openly on marketplaces such as JokerStash, prior to it shutting down in early 2021. Third party researchers have linked GOLD FRANKLIN to the use of GOLD BLACKBURN's TrickBot and Anchor malware and deployment of GOLD ULRICK's Ryuk ransomware but CTU researchers are unable to independently corroborate these findings. In April 2019, third party researchers also linked GOLD FRANKLIN to the LockerGoga ransomware, although CTU researchers have not attributed direct observations of LockerGoga to this group.