Hey you,
BE IN THE KNOW!

35,000 ransomware infections per month and you still believe you are protected?

Sign up to receive:

  • alerts
  • news
  • free how-to-remove guides

of the newest online threats - directly to your inbox:


TreasureHunt PoS Malware Description and Removal

shutterstock_278999798A new malicious virus has been detected and reported to attack PoS systems of primarily small businesses. The malware enters the user PC via spam mails, and it carefully selects what kind of information to collect from infected users. The malware has been reported by researchers to be associated with the hacker group BearsInc. This particular type of malware is also focused on attacking via php, and it collects information after which corresponds with the cyber-crooks CNC (command and control) servers.

NameTreasureHunt
TypePoS Malware with BruteForce capabilities.
Short DescriptionThe malware steals financial data from PoS systems of small businesses.
SymptomsThe user may witness higher network utilization in Windows Task manager while the malware is transferring information to the CnC server.
Distribution MethodVia other malware or programs that appear legitimate but aren’t.
Detection ToolDownload Malware Removal Tool, to See If Your System Has Been Affected by TreasureHunt
User Experience Join our forum to discuss TreasureHunt.

TreasureHunt PoS Malware – Distribution

It is widely believed that this malware may be distributed by several different methods:

malicious-email-spam-links-sensorstechforum

All users are strongly advised to follow simple security tips (LINKKK) to avoid such occurrences in the future.

TreasureHunt PoS Malware – How Does It Work

This malware uses the so-called “gate.php” object which it uses in the following command to send intercepted financial information:

→ POST /gate.php?report=true

Researchers at Fireeye have identified the following samples in different domains of the “gate.php” object:

→ megastock/gate.php
sdfsgsdsdssdf/gate.php
wp-content/temp/gate.php
noth/gate.php
/southcal/gate.php
/gate.php
/alabol/gate.php
/nothcal/gate.php

The domains associated with the samples are of a various character and names:

  • millionjam(.)eu
  • cortykopl(.)com
  • 91.232.29.83
  • it71092781-cy2892378-load887238(.)com
  • 179.43.160.34
  • 3sipiojt(.)com
  • seatrip888(.)eu
  • friltopyes(.)com

The collected information may be credit card numbers, online banking passwords, bitcoin addresses and account passwords.

Not only this, but this malicious threat may also use a BruteForce type of attack to break into different user accounts. It may have pre-set combinations of user names and passwords in a large file which may be used from a distance to discover the password.

Remove TreasureHunt PoS Malware

To detect whether or not you have this threat on your PoS device, you should scan it with an advanced anti-malware software. In case, any threat of this type is detected it is advisable to act immediately and change ALL of your financial credentials and any account credentials on this device and any other device on your PoS network. Furthermore, it is strongly recommended to reconfigure your network changing some values and resetting it in case there is any device connected to it.

After that, we strongly advise you to follow the steps mentioned in this article. They will make sure you effectively isolate after which remove this cyber-threat from your computer. In the end, we would definitely recommend following the security tips mentioned in the red link in the “Distribution” section of this article.

1. Boot Your PC In Safe Mode to isolate and remove TreasureHunt
2. Remove TreasureHunt with SpyHunter Anti-Malware Tool
3. Back up your data to secure it against infections by TreasureHunt in the future
Optional: Using Alternative Anti-Malware Tools

Vencislav Krustev

A network administrator and malware researcher at SensorsTechForum with passion for discovery of new shifts and innovations in cyber security. Strong believer in basic education of every user towards online safety.

More Posts - Website

Share on Facebook Share
Loading...
Share on Twitter Tweet
Loading...
Share on Google Plus Share
Loading...
Share on Linkedin Share
Loading...
Share on Digg Share
Share on Reddit Share
Loading...
Share on Stumbleupon Share
Loading...
Please wait...

Subscribe to our newsletter

Want to be notified when our article is published? Enter your email address and name below to be the first to know.