Source code for the point-of-sale malware called TreasureHunter has been leaked, according to researchers who said the release offers them unique insights into the malware, but also gives them pause as they brace for expected variants.
Not just was TreasureHunter’s source code leaked, but so was source code for the malware’s graphical user interface-builder and administrator panel. The leaked code was found on a “top-tier” Russian-speaking hacker forum in March, according to Vitali Kremez, a senior intelligence analyst at Flashpoint, in a technical write-up of the discovery posted on Thursday.
“The availability of both code bases lowers the barrier for entry for cybercriminals wishing to capitalize on the leaks to build their own variants of the PoS malware,” he wrote.
TreasureHunter has been thorn in the side to companies since 2014, as cybercriminals burrowed the malware into PoS systems to scrape credit-card track data. According to a 2017 analysis by independent security engineer Arnaud Delmas, the malware is garden-variety and relies entirely on RAM scraping to attempt to steal credit-card primary account numbers; it also lacks any hooking capabilities.
“TreasureHunter was observed to be deployed on compromised point-of-sale machines by the criminal operators after they initially were able to successfully brute force their access to victim remote desktop protocol (RDP) servers,” researchers said.
Flashpoint said the malware was likely developed by an underground cybergang called Bears Inc. that primarily does business on low- to mid-tier hacking and carding communities. According to a 2016 report by FireEye, TreasureHunter is version of the PoS malware known as TreasureHunt, developed by malware author Jolly Roger specifically for Bears Inc.
Chief among researcher concerns is that the leaked source code will spawn a wave of new PoS threats. That’s typical with the accidental or intentional release of malware source code. In 2011, source code to the infamous Zeus crimeware kit was leaked, triggering a flurry of similar banking trojans into underground markets, including the tool known as Citadel, responsible for over $100 million in reported losses.
“PoS malware leaks have had similar effects, most notably with the 2015 leak of the Alina malware, which led to the creation of the ProPoS and Katrina variants,” Kremez wrote.
Researchers are at a loss as to why the malware code was released. In an email interview with Threatpost, Kremez said it might be an attempt by the developers to distance themselves from being unique malware code owners. “Oftentimes, various threat actors do so to frustrate and thwart possible law-enforcement investigation and attribution by law enforcement (e.g., Mirai and Zeus source code leaks),” he said.
The only silver lining tied to the code leak is that investigators will have a closer look into the malware and how it operates, for the first time. “TreasureHunter has been known and investigated since 2014, but until now investigators have had to reverse-engineer its code in order to analyze it,” Kremez said. “Now, with the full code available, analysts have previously unseen insight into the malware’s operation. It provides unique insights into coder’s mindset and operations style revealing interesting code comments.”
An analysis of the code, and the hacker chatter tied to the code’s release, lead researchers to a code project called “trhutt34C,” which they believe was an ongoing revamp of the malware.
“The developer intended to improve and redesign various features, including anti-debugging, code structure improvement and gate communication logic,” according to the Flashpoint analysis. “With the goal of additional features to be improved, the developer hoped frustrate malware analysis and subsequent research.”
A note left by one of the developers read: “We want the malware researchers screamin’!”