FrameworkPOS, aka TRINITY, is PoS malware associated with a cybercrime group known as FIN6, according to an investigation conducted by FireEye. It is designed to capture payment card data from the memory of running processes and save it to a file on the system. Once FrameworkPOS identifies track data, it copies and encodes it to a local file in a subdirectory of the c:\windows\ directory while attempting to conceal these files with .dll or .chm extensions. To move the stolen payment card data out of the environment, FIN6 used a script to systematically iterate through a list of compromised PoS systems, copying the harvested track data files to a numbered “log” file before removing the original data files. They then compressed the log files into a ZIP archive and moved the archive through the environment to an intermediary system and then to a staging system. From the staging system,  the stolen data is copied to external command and control servers using the FTP command line utility. According to FireEye's research, FIN6 also uses an alternative extraction method to upload payment card data to a public file sharing service.


  • May 2016: A recent FrameworkPOS campaign reportedly compromised over 300 credit card records from two victims, a small-to-medium sized business based in Honolulu Hawaii and another based in Chicago. While analyzing the stolen information, researchers found only track 2 data, although track 1 data was present in other campaigns as well. The new campaign is not as widespread as others leveraging the same PoS malware, but it does reveal that the actors behind this malware are still. active. (SecurityWeek)
  • April 2016: FireEye released an in-depth report on the operations of a sophisticated cyber crime group known as FIN6, titled "Follow the Money – Dissecting the Operations of the Cybe Crime Group FIN6". FireEye determined FIN6 compromised and deployed TRINITY (FramworkPOS) on approximately 2,000 systems, resulting in millions of exposed cards. (FireEye)

Technical Details

  • Anomali Labs provides technical analysis of FrameworkPOS on their blog, available here.
  • Trustwave provides technical analysis of FrameworkPOS on their SpiderLabs Blog, available here.

This graph depicts how cybercrimminals registered and used their domains between 2015 and 2016. Image Source: Softpedia