Home Malware Programs Malware TreasureHunter

TreasureHunter

Posted: November 28, 2018

TreasureHunter is a Point-of-Sale Trojan that compromises PoS systems for collecting their credit card data. Recent releases of TreasureHunter's code could let criminals generate variants of this threat even if the criminals in question have no notable programming experience. Businesses should protect their PoS hardware with appropriate anti-malware and network-monitoring products for deleting TreasureHunter automatically.

Misappropriating Someone Else's Treasure is Easier than Ever Before

The family of PoS Trojans under the name of TreasureHunter, which is referenced with 'trhutt34C' internally, has seen various updates and incomplete plans for other features since 2014. However, recent activity on the Russian dark Web makes this old family of Point-of-Sale threats, potentially, much more threatening than previously. Thanks to a single threat actor, this family is now, effectively, 'freeware' for anyone's exploitation.

The leaks provided both the source code for TreasureHunter and a construction kit or builder application that generates new versions of the Trojan with minor configuration differences. Although malware researchers haven't found any new campaigns launching using these tools, for the time being, it's unlikely that threat actors around the world will refrain from using these ready-made resources for their credit card fraud campaigns. TreasureHunter is Windows software but, unlike most, similar threats is only written in C, instead of in C++.

The essentials of TreasureHunter's operations differ little from those of other Point-of-Sale threats. Infection vectors are, typically, network-based, and TreasureHunter achieves persistence with a Registry edit. Then, it scans all processes in the memory for card data, such as service codes and primary account numbers, and uploads them to a Command & Control server elsewhere. While these features are fully working, TreasureHunter's original author had plans for improving the Trojan's efficiency and showed concerns over evading security solutions and anti-malware analysts.

Hunting Down Credit Card Thieves

TreasureHunter lacks the ANSI functions, anti-debugging, command-based uninstallation and Command Prompt features that its creator planned on making available over the past four years. On the other hand, criminals could add their personal touches to TreasureHunter indiscriminately, since TreasureHunter is now 'freeware' no different from, for example, the often-abused Hidden Tear family. The addition of a dedicated builder tool also lets threat actors with zero programming proficiency make effective use of the PoS Trojan for scraping credit cards en masse.

Businesses believing that their hardware is at risk should make use of appropriate network-monitoring tools that can block TreasureHunter's C&C communications. Most anti-malware packages, also, should remove TreasureHunter on sight. Some PoS Trojan campaigns use 'insiders' for compromising systems, but targeted, social engineering-based tactics trying to trick specific employees into installing them are commonplace.

With the gradual switch over to chip-based technology, the TreasureHunter family may become extinct, in due time. Until that happens, however, threat actors are greatly incentivized for abusing PoS Trojans as much as possible – while they still work.

Loading...