TreasureHunter source code leaked for the masses to pillage PoS systems

The release could result in a new wave of malware hitting restaurants, hotels, and the retail sector.
Written by Charlie Osborne, Contributing Writer
File Photo

The source code for the TreasureHunter point-of-sale (PoS) malware has been leaked online and may result in a fresh wave of attacks against retailers.

The code, discovered and confirmed by Flashpoint researchers, has been released to the public through a Russian-speaking online forum.

The same threat actor has also leaked the malware's GPU builder and administrator panel, which when compiled, offers those without specialized knowledge the opportunity to wreak havoc on target PoS systems.

PoS malware, often small in size, is designed in order to target systems used in sales, including retail terminals. Once infected, malicious code will often covertly steal data -- such as credit card numbers -- and send this information to a command-and-control (C&C) server under an attacker's control.

This stolen information may then be used to create clone cards and customer records stolen from PoS terminals may also be sold on for the purposes of identity theft.

In the cases of Target and Home Depot, for example, millions of customer records were stolen, costing both companies millions of dollars in damages alone.

On Thursday, Flashpoint said in a blog post that TreasureHunter is no different.

The malware family has been on the radar since 2014. The original developer appears to be a Russian speaker with proficiency in the English language who developed TreasureHunter for the underground dump seller BearsInc.

According to a FireEye investigation, the malware is the work of a threat actor dubbed Jolly Roger.

TreasureHunter is a typical PoS malware variant. The malware targets Windows-based servers and PoS terminals, and once infected and executed, creates a registry which launches the malware at startup.

The malicious code then scans PoS devices for track data and credit card information. These records are then collected and sent to a C&C server.

It is not known why the source code has been leaked. It may be that the operator is leaving the PoS criminal world and is washing their hands of their creation, or it could be that a new-and-improved PoS malware is in development.

See also: SynAck ransomware circumvents antivirus software through Doppelgänging technique

"In the past, malware source code leaks such as the Zeus banking Trojan have spawned numerous variants, including Citadel, which cost organizations hundreds of millions in losses," the researchers note. "PoS malware leaks have had similar effects, most notably with the 2015 leak of the Alina malware which led to the creation of the ProPoS and Katrina variants."

The source code is available and therefore can be customized by users for their own ends -- potentially leading to an influx of new PoS malware variants.

One silver lining, however, is that security researchers can also plunder the code for insight into the PoS malware industry and use this knowledge to improve cybersecurity solutions for individuals and businesses alike.

10 things you didn't know about the Dark Web

Previous and related coverage

Editorial standards