Leaked Point-of-Sale Malware Source Code Could Fuel New Variants

The source code for a malware program called TreasureHunter, which has been used to steal payment card information from point-of-sale (PoS) systems for years, is now available to cybercriminals for free. As with similar incidents in the past, researchers expect that this leak will lead to more variants being developed.

According to researchers from Flashpoint, the TreasureHunter source code was leaked on a high-profile Russian-speaking forum complete with the source code for the malware’s “builder” program and administrator panel. This means that attackers now have full access to the complete toolset and can modify it to fit their particular needs.

“Russian-speaking cybercriminals have been observed on the vetted underground discussing improvements and weaponization of the leaked TreasureHunter source code,” Vitali Kremez, the director of research at Flashpoint, said in a blog post. “Notably, the original developer appears to be a Russian speaker who is proficient in English.”

TreasureHunter, which has been around since 2014, is what is sometimes referred to in the security industry as a memory scraper. Once it infects a Windows computer that processes data from a point-of-sale terminal, it scans its RAM memory for “track data”—the data encoded on a card’s magnetic strip used for processing transactions.

This information is valuable on the cybercriminal market, where it’s typically sold in bulk as “dumps,” because it can be used to clone payment cards.

Many of the large credit card breaches over the past decade, including the one at Target in 2013 and Home Depot in 2014, were the result of memory-scraping malware being installed on point-of-sale systems.

“In the past, malware source code leaks such as the Zeus banking Trojan have spawned numerous variants, including Citadel, which cost organizations hundreds of millions in losses,” Kremez warned. “PoS malware leaks have had similar effects, most notably with the 2015 leak of the Alina malware which led to the creation of the ProPoS and Katrina variants.”

The other side of the coin is that malware source code leaks also help researchers better understand threats and build protection and detection methods that are more difficult to evade.

Rogue Chrome Extensions Hijack Facebook Accounts, Deploy Cryptominers

Malicious Google Chrome extensions installed by more than 100,000 users are part of a botnet that steals Facebook login credentials and hijacks computing resources to mine cryptocurrency.

Researchers from Radware have identified seven extensions that are associated with a botnet they dubbed Nigelthorn and which has been active since March. Four of them have were caught by Google’s own security checks, but three flew under the radar and two were still active on the Chrome Web store when Radware found them.

The malware spreads through messages on Facebook that contain rogue links. When clicked, the links redirect users to fake YouTube pages that prompt them to install one of the malicious Chrome extensions.

If the installation is successful, the extension immediately kicks in and redirects users back to Facebook to steal their login credentials and Instagram cookies. The credentials are then used to continue spreading the malicious links through both private messages and Facebook posts.

The malicious code in the extensions also reaches out to a command-and-control server from where attackers can deliver instructions to execute other malicious components. For example, attackers can deploy an in-browser cryptomining script or code that forces browsers to open, like and comment on YouTube videos in an attempt to defraud YouTube.

It’s not just consumers that can be affected by such threats. Radware initially found one of the extensions inside the network of a global manufacturing firm that was using several security solutions.

Lucian Constantin

Lucian Constantin

Lucian has been covering computer security and the hacker culture for almost a decade, his work appearing in many technology publications including PCWorld, Computerworld, Network World, CIO, CSO, Forbes and The Inquirer. He has a bachelor's degree in political science, but has been passionate about computers and cybersecurity from an early age. Before he chose a career in journalism, Lucian worked as a system and network administrator. He enjoys attending security conferences and delving into interesting research papers. You can reach him at [email protected] or @lconstantin on Twitter. For encrypted email, his PGP key's fingerprint is: 7A66 4901 5CDA 844E 8C6D 04D5 2BB4 6332 FC52 6D42

lucian-constantin has 298 posts and counting.See all posts by lucian-constantin