TreasureHunter PoS malware

On the malware scene, there is no clearer sign of trends to come than the leaking of a malware family's source code.

Based on this assumption, we can now expect an influx of Point-of-Sale malware in the coming months after the release of the source code of the TreasureHunter PoS malware on a Russian-speaking cybercrime forum in March, this year.

Security researchers from Flashpoint, the ones who spotted the leaked source code, confirmed its validity.

"The source code is consistent with the various samples that have been seen in the wild over the last few years," said Flashpoint Director of Research Vitali Kremez.

TreasureHunter leak bound to spawn new threats

With the source code out in the open, TreasureHunter is bound to spawn a wave of new PoS malware strains, similarly to how the source code leak of the Zeus (Windows banking trojan) BankBot (Android banking trojan), Alina (PoS malware), Tsunami (Linux/IoT DDoS and botnet malware) and Mirai (Linux/IoT DDoS and botnet malware) spawned tens of copycats in the past years.

While the reasons of why the TreasureHunter source code leak have not been made clear, the malware itself is quite old, being first spotted back in 2014.

It may be possible that the people behind this threat are working on a newer and revamped version, and decided to dump their old work  in the process.

TreasureHunter is the work of malware author Jolly Roger

According to a 2016 FireEye investigation, TreasureHunter was developed by a malware author who goes by the name of Jolly Roger, and who created the malware for a group named BearsInc, known to operate a cybercrime forum where they sold stolen payment card details.

The malware was never a widespread strain and was most likely used by this group alone to gather payment card details to sell on their forum.

The malware itself is not something overly complex, and fits the general modus operandi of all PoS malware strains.

Once it infects a Windows machine, TreasureHunter adds a DLL for boot persistence, scans for PoS-apps-related processes, extracts payment card details from the PC's memory, and uploads the stolen data to a remote server.

With TreasureHunter's source code out in the open, Flashpoint and other security firms now have a clearer look inside this threat's mode of operation, not just the view they've got until now by reverse-engineering its binaries.

This clearer look at how TreasureHunter operates will help with detection, albeit the source code availability will also lower the entry barrier for other malware authors looking to start a career in payment card theft.

Image credits: Gan Khoon Lay, Flashpoint, Bleeping Computer

Related Articles:

Booz Allen Hamilton Researchers Detail New RtPOS Point-of-Sale Malware

Massive Malvertising Campaign Discovered Attempting 40,000 Infections per Week

Exobot Author Calls It Quits and Sells Off Banking Trojan Source Code

Andromeda Botnet Operator Released With a Slap on the Wrist

World Police Shut Down Andromeda (Gamarue) Botnet