Security Experts:

TreasureHunter PoS Malware Source Code Leaked Online

New variants of the TreasureHunter point-of-sale (PoS) malware are expected to emerge after its source code was leaked online in March, Flashpoint warns.

Capable of extracting credit and debit card information from processes running on infected systems, the PoS malware family has been around since at least 2014. To perform its nefarious activities, it scans all processes on the machine to search for payment card data, and then sends the information to the command and control (C&C) servers.

The malware’s source code was posted on a top-tier Russian-speaking forum by an actor who also leaked the source code for the malware’s graphical user interface builder and administrator panel.

The availability of both code bases is expected to allow more cybercriminals to build their own PoS malware variants and start using them in attacks. However, the availability of the code also provides security researchers with the possibility to better analyze the threat. In fact, Flashpoint, which discovered the leak in March, has been working together with Cisco Talos to improve protections and disrupt potential copycats who may have obtained the leaked source code.

“In the meantime, Russian-speaking cybercriminals have been observed on the vetted underground discussing improvements and weaponization of the leaked TreasureHunter source code,” the security researchers explain in a report shared with SecurityWeek.  

The original malware developer is likely a Russian speaker who is proficient in English. According to Flashpoint, the threat might have been originally developed for the notorious underground shop dump seller BearsInc, but the reason why the code was leaked is unknown.

TreasureHunter likely installed using weak credentials. The attacker accesses a Windows-based server and the point-of-sale terminal, installs the threat, and then establishes persistence through creating a registry key to execute the malware at startup.

The threat then enumerates running processes and starts scanning the device memory for track data such as primary account numbers (PANs), separators, service codes, and more. Next, it establishes a connection with the C&C and sends the stolen data to the attacker.

“Besides alina, vskimmer and other sniffers, Treasure Hunter still sniffs (not at a very high rate, but it still does) and besides that, since now you have the source code, it can be update anytime for your own needs,” the actor behind the TreasureHunter leak apparently said.

Internally, the code project was supposedly called trhutt34C. The malware is written in pure C with no C++ features and was originally compiled in Visual Studio 2013 on Windows XP. The researchers believe the malware author was also looking to improve and redesign various features including anti-debugging, code structure, and gate communication logic.

The source code is consistent with the previously analyzed TreasureHunter samples and a config.h file shows “definite signs of modification over the lifespan of the malware.” More recent samples write useful config values directly into the fields, which makes them smaller.

Related: New PoS Malware Family Discovered

Related: Hackers Use Custom PoS Malware to Target Retailers

view counter