TreasureHunter Description

TreasureHunter belongs to a malware family of PoS (Point of Sale) malware. These threats are designed to extract credit card information at the point where the credit cards are processed (the point of sale) and then relay this information to a command and control server. Essentially, the criminals can use threats like TreasureHunter to collect credit card information from the shoppers when they are utilizing their credit card to make a purchase.

Some Background Related to PoS Malware Like TreasureHunter

In October 2015, PCI DSS rulers changed, which made retailers liable if they had not transitioned to more secure card-reading mechanisms. However, today there are still many retailers that are still using the older card swipe method, rather than the more modern chips. There has been a marked increase in PoS malware appearing in 2015 and the following years, as the criminals attempt to catch as many retailers as possible before they complete this transition from the older to the newer technology. Since 2015, numerous PoS malware has appeared, some freely available, some available for purchase, and some created by criminal groups with more resources. TreasureHunter belongs to this third group and seems to have been custom made for a particular criminal group.

How TreasureHunter Carries Out Its Attack

TreasureHunter monitors running processes on an infected computer collect credit card data from the infected computer's memory and relays this information to its command and control server. From there, the criminals can take this credit card information and use it to carry out numerous other tactics. In most cases, the criminals will take this misappropriated credit and debit card information and sell it to a third party in a bulk. There are many ways in which TreasureHunter is installed, but the most common is by taking advantage of poor password protection, allowing the criminals to gain access to the targeted point of sale system. Once TreasureHunter has been installed, it makes changes to the infected computer's settings, which allow TreasureHunter to maintain persistence and run indefinitely on the infected device, even when it is shut down and restarted. TreasureHunter will establish a connection with its Command and Control server via HTTP. TreasureHunter runs continuously and relays the collected credit card information to its Command and Control server every time it detects a credit card transaction on the infected computer.

Why the TreasureHunter Malware is a Threat?

The first samples of TreasureHunter were observed in 2015, almost immediately after these rules changes mentioned above. These samples, which started appearing in November 2015 and March 2016 were practically identical and may be referred to as TreasureHunter 0.1.1, due in part to the presence of the following string in TreasureHunter's code:

TreasureHunter version 0.1.1 Alpha, created by Jolly Roger
( for BearsInc. Greets to Xylitol and co.

It is likely that the first versions of TreasureHunter were developed in October 2014. This threat was studied throughout 2015 and 2016 subsequently by PC security researchers. The content in TreasureHunter's code referring to 'Jolly Roger' may connect TreasureHunter to other malware, an information collector released in 2013 particularly. The reference to 'Xylitol' in this code refers to a well-known PC security researcher that has uncovered various malware tactics and is meant to taunt malware researchers probably.

What's in Store for Threats Like TreasureHunter

Due to the transition from the PIN technology to the EMV chip in the United States, it is likely that in the future threats like TreasureHunter will no longer work. Criminals will need to uncover new ways of carrying out these attacks since a point of sale devices will be safer (and already are) significantly. Since major retailers are the most likely to have completed this transition already, the intended targets for tactics like TreasureHunter are smaller businesses, which are less likely to have completed this technological transition typically.