Flashpoint specialists reported that in March 2018, the source codes of the PoS-Malwary TreasureHunter were published. Because of what there was a leak for certain, it is unknown, but experts believe that now it is necessary to expect the growth of PoS-malvari. Similar peaks of activity after the leakage of source codes have repeatedly demonstrated other threats, for example, the Zeus banker, the mobile banker BankBot, or the IoT-overload Mirai.
TreasureHunter has existed at least since 2014 and its authorship is attributed to the BearsInc grouping. Malware, like many other PoS threats, is used to attack Windows machines. By infecting them, TreasureHunter implements its DLL and registry key in the system to ensure a stable presence, and then searches for PoS-related processes. If malicious processes are of interest, the malware will steal information about bank cards from the memory of the infected machine and transfer it to the remote management server of the attackers.
Flashpoint experts write that similar TreasureHunter codes were published in an unnamed Russian-language hacker forum, and after a careful study of analytics companies have been able to confirm their authenticity. It should be noted that the threat can not be called a new one. The original TreasureHunter is written in pure C, without the use of C ++, and compiled in Visual Studio 2013 on Windows XP.
Although experts now predict that many imitators will appear on the basis of the TreasureHunter sources (according to the company, at underground forums are already actively discussing possible ways to improve and use malware), and the company’s specialists note that the code leak allows IB specialists to study the threat in more detail and develop more effective methods for combating it.