Threat Management, Malware

Buried no more: Source code for TreasureHunter POS malware leaked on forum

Someone has leaked the source code of custom-built point-of-sale malware TreasureHunter onto an underground Russian-speaking forum, and already cybercriminals are talking about how to further improve and weaponize it now that it's available to the masses.

In a company blog post released today, Vitali Kremez, director of research at Flashpoint, reports that the source code for the malware's graphical user interface builder and administrator panel were likewise published. The motive behind the leak, which Flashpoint detected last March, is currently unknown.

Naturally, the concern is that the leak will spawn a barrage of new attacks featuring modified and forked versions of TreasureHunter, especially as bad actors begin to experiment with the code.

"The availability of both code bases lowers the barrier for entry for cybercriminals wishing to capitalize on the leaks to build their own variants of the POS malware," writes Kremez. In response, Flashpoint teamed up with Cisco Systems' Talos threat research group to improve protections and detection capabilities against TreasureHunter, "in an effort to disrupt potential copycats who may have their hands on the source code."

“We worked with Flashpoint to help ensure we could provide coverage both to our customers and the community, even if they were not Cisco customers,” said Craig Williams, senior threat researcher and global outreach manager, in comments to SC Media.

While the leak opens up new opportunities for would-be attackers, so too does it provide white-hat researchers with never-before-possible insights into the malware, which first emerged in 2014 and appears to have specifically been developed for BearsInc, an underground dump shop specializing in credit card fraud.

Indeed, an analysis of the leaked code -- written in pure C with no C++ features -- shows that it's "consistent with the various samples that have been seen in the wild over the last few years" and "shows definite signs of modification over the lifespan of the malware," the Flashpoint blog post states.

"The TreasureHunter leak reveals a rather simple but stable original source code, with the goal to allow simple turnkey malware creation as point-of-sale-malware-builder-on-the-go," said Kremez in an email interview with SC Media. "Based on analysis, researchers believe the developer intended to improve and redesign various features including anti-debugging, code structure improvement, and gate communication logic." 

The developer -- an apparent Russian speaker who is also proficient in English and reportedly goes by the alias Jolly Roger -- even left a note his code that says, “We want the malware researchers screamin'!” -- an indication he had intentions to make the malware increasingly difficult to analyze.

Bradley Barth

As director of multimedia content strategy at CyberRisk Alliance, Bradley Barth develops content for online conferences, webcasts, podcasts video/multimedia projects — often serving as moderator or host. For nearly six years, he wrote and reported for SC Media as deputy editor and, before that, senior reporter. He was previously a program executive with the tech-focused PR firm Voxus. Past journalistic experience includes stints as business editor at Executive Technology, a staff writer at New York Sportscene and a freelance journalist covering travel and entertainment. In his spare time, Bradley also writes screenplays.

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.