Be Alert Bankers and Traders! TreasureHunt Malware ahead!

It really sounds bad, but it is true. Hackers are using Point of Sale (PoS) category malware to target bankers, marketers, wholesalers and traders. Hackers are using TreasureHunt named malware to gain access of systems used by bankers and traders. After gaining access of systems, hackers are stealing sensitive data of Credit Cards and all the payment cards used by customers. All this information has been provided by the Security Researchers of security company FireEye.

This PoS malware is not a new one. It was first detected by another security forum SANS, two years ago. When SANS first detected it, this malware had a property under which it was capable to change its name. It was using names randomly to detect itself from Antivirus tools and other security preventions. This new TreasureHunt malware should be an updated version of that old malware.

This malware is targeting bankers and small retailers, which are doing transactions using Point of Sale techniques. This technique use less security techniques. On the other hand, the companies which are using Europay, Mastercard and Visa (EMV) payment techniques are safe. Chip equipped cards has been used by the customers in EMV, therefore these are more secured.

Small companies and retailers should not use EMV technique, because hardware required for it is very costly. The migration cost for EMV technique is more than 10 billion dollars, therefore is not possible for small retailers and banks to pay it. If there is need to setup a single EMV system, it will cost in million dollars. Big Banks are spending Millions of dollar to protect their transactions by using EMV methods.

Hackers are targeting to that small companies and retailers which are using PoS method. The transactions done by this methods takes too much time to complete itself. It is difficult for small retailers and financial institutes to manage such a big amount for adopting new payment transaction standards. Hackers are focusing on these points to find out such type of retailers and banks. TreasureHunt is the new weapon of Hackers, which is capable to steal information from PoS systems.

TreasureHunt malware is capable to steal CC and DC (Credit Card and Debit Card) information by getting entry into those memory slots, which are storing this information. Hackers are using a command and control server to interact with the Malware. Hackers are stealing this information and selling it on dark web.

This malware could take the entry into registry files of a system by creating a file “HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run|jucheck”. This malware is using same process, which had been used by its previous version. The only difference in this version is that it is saving data into NTFS format. Hackers behind this Malware are leaving a string on the infected system. In a latest case, hackers hacked into systems of Xylitol and company and they leave a message which looks like “TreasureHunter version 0.1.1 Alpha, created by Jolly Roger (jollyroger@prv.name) for BearsInc, Greets to Xylitol and co”. By reading this message, researchers of FireEye got an idea that “jolly roger” could be the author of this malware. There are a number of communities related to hackers available on Dark Web which are selling stolen payment information in black market. Bearsinc is one of them.