TreasureHunt
Threat Scorecard
EnigmaSoft Threat Scorecard
EnigmaSoft Threat Scorecards are assessment reports for different malware threats which have been collected and analyzed by our research team. EnigmaSoft Threat Scorecards evaluate and rank threats using several metrics including real-world and potential risk factors, trends, frequency, prevalence, and persistence. EnigmaSoft Threat Scorecards are updated regularly based on our research data and metrics and are useful for a wide range of computer users, from end users seeking solutions to remove malware from their systems to security experts analyzing threats.
EnigmaSoft Threat Scorecards display a variety of useful information, including:
Ranking: The ranking of a particular threat in EnigmaSoft’s Threat Database.
Severity Level: The determined severity level of an object, represented numerically, based on our risk modeling process and research, as explained in our Threat Assessment Criteria.
Infected Computers: The number of confirmed and suspected cases of a particular threat detected on infected computers as reported by SpyHunter.
See also Threat Assessment Criteria.
| Threat Level: | 90 % (High) |
| Infected Computers: | 61 |
| First Seen: | April 8, 2016 |
| Last Seen: | June 6, 2020 |
| OS(es) Affected: | Windows |
TreasureHunt is a Point of Sale (PoS) threat that has been linked to a particular underground forum dedicated to credit card sharing. TreasureHunt seems to be related to BearsInc, a group of computer con artists. TreasureHunt may represent a real threat to small businesses and banks. TreasureHunt is designed to prey on small businesses and banks that have not adopted the new PIN card and EMV chip system. This is how these kinds of threats may work, preying on end users that have not adapted to the latest security technology or software.
Table of Contents
Analyzing TreasureHunt and Similar PoS Software
TreasureHunt has been active since 2014. However, versions of TreasureHunt detected in late 2014 were early variants of this threat that lacked many of its features. Most PoS malware like TreasureHunt belong to one of three categories:
- There are old PoS threats that have been leaked or had their source code misappropriated. These old PoS threats may be freely available to use.
- There are PoS threats that are available for sale. These may be older PoS threats for which some protections may exist or variations of PoS threats from the first category.
- The third category are PoS threats that have been custom built for specific uses. These are the most harmful types of threats since there may not be efficient protection against them, requiring a reaction from security researchers to update security software and procedures to protect against these threats. TreasureHunt belongs to this category, making it particularly threatening.
TreasureHunt may be Linked to the BearsInc Computer Crime Group
TreasureHunt was created specifically for the use of one particular group of cybercrooks. This group avoids sharing TreasureHunt with other people specifically and has used TreasureHunt to carry out a threat campaign that has netted them significant profits. It is in their best interest to prevent the dissemination of TreasureHunt, since this would allow PC security researchers to have more samples for study, as well as creating additional competition for them. PC security analysts have linked the TreasureHunt source to Jolly Roger, a coder known in the underground computer community, and the Bears Inc group. Although BearsInc has not been particularly connected to hacking and general computer harmful actions, they are a popular part of the carding groups, which publish large volumes of data with credit card numbers and information linked to these accounts regularly. PC security researchers suspect that the source for this data is the TreasureHunt threat.
How the TreasureHunt Infections may Spread
One of the peculiar characteristics of the TreasureHunt infections is that they seem to be the consequence of manual hacking of targeted computers. TreasureHunt does not seem very different from other, more common PoS threats. Essentially, TreasureHunt infects the user's computer, ensures that TreasureHunt remains on the computer running in the background at all time, and scans the affected computer's memory for credit card data. Whenever TreasureHunt intercepts credit card information, TreasureHunt encodes it and relays it to its Command and Control server. However, unlike most PoS threats, which may be spread using common threat delivery methods such as spam email attachments and various social engineering techniques, TreasureHunt is not spread using spam messages. Rather, TreasureHunt is delivered manually, by hacking into a payment terminal using misappropriated credentials. Members of BearsInc may use brute force attacks to break into PoS terminals that have not been protected with a strong password. Since October, there has been a transition into EMV chip-based cards. This has resulted in an increase of TreasureHunt attacks, probably due to TreasureHunt and other PoS malware that are being used currently may become useless once all banks and businesses begin using the new cards.
Submit Comment
Please DO NOT use this comment system for support or billing questions. For SpyHunter technical support requests, please contact our technical support team directly by opening a customer support ticket via your SpyHunter. For billing issues, please refer to our "Billing Questions or Problems?" page. For general inquiries (complaints, legal, press, marketing, copyright), visit our "Inquiries and Feedback" page.