TreasureHunt PoS Malware Description and Removal - How to, Technology and PC Security Forum |

TreasureHunt PoS Malware Description and Removal

shutterstock_278999798A new malicious virus has been detected and reported to attack PoS systems of primarily small businesses. The malware enters the user PC via spam mails, and it carefully selects what kind of information to collect from infected users. The malware has been reported by researchers to be associated with the hacker group BearsInc. This particular type of malware is also focused on attacking via php, and it collects information after which corresponds with the cyber-crooks CNC (command and control) servers.

TypePoS Malware with BruteForce capabilities.
Short DescriptionThe malware steals financial data from PoS systems of small businesses.
SymptomsThe user may witness higher network utilization in Windows Task manager while the malware is transferring information to the CnC server.
Distribution MethodVia other malware or programs that appear legitimate but aren’t.
Detection ToolDownload Malware Removal Tool, to See If Your System Has Been Affected by TreasureHunt
User Experience Join our forum to discuss TreasureHunt.

TreasureHunt PoS Malware – Distribution

It is widely believed that this malware may be distributed by several different methods:


All users are strongly advised to follow simple security tips (LINKKK) to avoid such occurrences in the future.

TreasureHunt PoS Malware – How Does It Work

This malware uses the so-called “gate.php” object which it uses in the following command to send intercepted financial information:

→ POST /gate.php?report=true

Researchers at Fireeye have identified the following samples in different domains of the “gate.php” object:

→ megastock/gate.php

The domains associated with the samples are of a various character and names:

  • millionjam(.)eu
  • cortykopl(.)com
  • it71092781-cy2892378-load887238(.)com
  • 3sipiojt(.)com
  • seatrip888(.)eu
  • friltopyes(.)com

The collected information may be credit card numbers, online banking passwords, bitcoin addresses and account passwords.

Not only this, but this malicious threat may also use a BruteForce type of attack to break into different user accounts. It may have pre-set combinations of user names and passwords in a large file which may be used from a distance to discover the password.

Remove TreasureHunt PoS Malware

To detect whether or not you have this threat on your PoS device, you should scan it with an advanced anti-malware software. In case, any threat of this type is detected it is advisable to act immediately and change ALL of your financial credentials and any account credentials on this device and any other device on your PoS network. Furthermore, it is strongly recommended to reconfigure your network changing some values and resetting it in case there is any device connected to it.

After that, we strongly advise you to follow the steps mentioned in this article. They will make sure you effectively isolate after which remove this cyber-threat from your computer. In the end, we would definitely recommend following the security tips mentioned in the red link in the “Distribution” section of this article.

1. Boot Your PC In Safe Mode to isolate and remove TreasureHunt
2. Remove TreasureHunt with SpyHunter Anti-Malware Tool
3. Back up your data to secure it against infections by TreasureHunt in the future
Optional: Using Alternative Anti-Malware Tools

Ventsislav Krastev

Ventsislav has been covering the latest malware, software and newest tech developments at SensorsTechForum for 3 years now. He started out as a network administrator. Having graduated Marketing as well, Ventsislav also has passion for discovery of new shifts and innovations in cybersecurity that become game changers. After studying Value Chain Management and then Network Administration, he found his passion within cybersecrurity and is a strong believer in basic education of every user towards online safety.

More Posts - Website

Leave a Comment

Your email address will not be published. Required fields are marked *

Time limit is exhausted. Please reload CAPTCHA.

Share on Facebook Share
Share on Twitter Tweet
Share on Google Plus Share
Share on Linkedin Share
Share on Digg Share
Share on Reddit Share
Share on Stumbleupon Share