As more US companies snuff out point of sale malware by deploying chip-and-PIN bankcard technology, attackers are rushing to exploit existing magnetic strip card systems still vulnerable to malware. A group of hackers that go by the name Bears Inc. are behind the latest barrage of attacks with a custom-built point of sale malware called Treasurehunt, according to research from FireEye.
What makes Treasurehunt malware unique is that it’s exclusively being used by Bears Inc. hackers and does not fit the typical pattern of malware that is often widely available on black markets. That allows Treasurehunt to fly under a lot of security admin radars, researchers claim.
“This group is very active in selling stolen credit card data,” said Nart Villeneuve, principal threat intelligence analyst at FireEye. “They are the only group using Treasurehunt malware, making it hard for security professionals to identify it.” It’s also giving them a steady stream of fresh bankcard numbers to resell, Villeneuve told Threatpost Monday.
FireEye reports that this POS malware is custom-built and once a system has been compromised, the Treasurehunt malware can extract payment card information from the POS computer system’s memory and transmit data to a command and control server operated by Bears Inc.
“As time runs out for hackers to exploit older POS systems we are seeing an influx in related malware,” Villeneuve said. “There is nothing particularly unique in how Treasurehunt exploits these systems. But the relatively sparse sample set suggests that Treasurehunt may be deployed in a targeted manner rather than indiscriminately.” Villeneuve said, despite new payment card industry data security standards introduced in 2015, many smaller US-based retailers and banks are slow to transition making them prime targets for Treasurehunt.
According to the company, Treasurehunt is primarily finding its way onto POS terminals using stolen credential or through brute force password attacks.
“The malware scans all running processes and ignores processes that contain System33, SysWOW64, or \Windows\explorer.exe in their module names. It searches for payment card data and, if found, sends the data encoded back to the CnC server,” wrote Villeneuve in a report outlining his research.
Treasurehunt gives Bears Inc. hackers control over the POS system and allows them to continue harvesting stolen payment card information through a web interface located on Bears Inc.’s command and control server.
FireEye estimates the vulnerability has been quietly in use since 2014, noting that attackers have tweaked it over the past several months, particularly in the way the malware stores encoded POS configuration data in the NTFS alternate data streams (ADS) of the file %USERPROFILE%\ntuser.ini.
While some cybercriminals are looking ahead in an effort to develop ways to exploit chip and PIN (as well as near-field communication technologies), many cyber criminals are looking take advantage of memory scraping POS malware while it still works, Villeneuve said.