A new malicious virus has been detected and reported to attack PoS systems of primarily small businesses. The malware enters the user PC via spam mails, and it carefully selects what kind of information to collect from infected users. The malware has been reported by researchers to be associated with the hacker group BearsInc. This particular type of malware is also focused on attacking via php, and it collects information after which corresponds with the cyber-crooks CNC (command and control) servers.
|Type||PoS Malware with BruteForce capabilities.|
|Short Description||The malware steals financial data from PoS systems of small businesses.|
|Symptoms||The user may witness higher network utilization in Windows Task manager while the malware is transferring information to the CnC server.|
|Distribution Method||Via other malware or programs that appear legitimate but aren’t.|
|Detection Tool||Download Malware Removal Tool, to See If Your System Has Been Affected by malware|
|User Experience||Join our forum to discuss TreasureHunt.|
TreasureHunt PoS Malware – Distribution
It is widely believed that this malware may be distributed by several different methods:
- Via other programs such as a program imitating Visual Studio 2012.
- Via other obfuscated malware such as a Rookit or Trojan.Downloader on a previously infected device.
- Via exploit kit carried through spam mails, similar to the one in the example picture below.
All users are strongly advised to follow simple security tips (LINKKK) to avoid such occurrences in the future.
TreasureHunt PoS Malware – How Does It Work
This malware uses the so-called “gate.php” object which it uses in the following command to send intercepted financial information:
→ POST /gate.php?report=true
Researchers at Fireeye have identified the following samples in different domains of the “gate.php” object:
The domains associated with the samples are of a various character and names:
The collected information may be credit card numbers, online banking passwords, bitcoin addresses and account passwords.
Not only this, but this malicious threat may also use a BruteForce type of attack to break into different user accounts. It may have pre-set combinations of user names and passwords in a large file which may be used from a distance to discover the password.
Remove TreasureHunt PoS Malware
To detect whether or not you have this threat on your PoS device, you should scan it with an advanced anti-malware software. In case, any threat of this type is detected it is advisable to act immediately and change ALL of your financial credentials and any account credentials on this device and any other device on your PoS network. Furthermore, it is strongly recommended to reconfigure your network changing some values and resetting it in case there is any device connected to it.
After that, we strongly advise you to follow the steps mentioned in this article. They will make sure you effectively isolate after which remove this cyber-threat from your computer. In the end, we would definitely recommend following the security tips mentioned in the red link in the “Distribution” section of this article.