BearsInc group behind this new PoS malware threat

Mar 29, 2016 09:55 GMT  ·  By

A new strain of malware is targeting PoS terminals in the US, aimed at small businesses and banks that have not yet transitioned to the new EMV chip and PIN card system.

Named TresureHunt, this new PoS (Point of Sale) malware piece has been around since late 2014, when FireEye researchers discovered traces of its early variants.

There are three categories into which almost all PoS malware fall. There are freely available tools, usually old PoS malware that had its source code leaked or stolen, there is PoS malware available for sale, usually older PoS malware or variations of malware that was previously leaked, and there's also custom-built PoS malware.

TreasureHunt PoS malware is the work of the BearsInc cyber-crime group

TreasureHunt is part of this latter category, built specifically for the usage of one single group, who avoids sharing it with others and uses it to power its cyber-crime campaign.

In this particular case, FireEye has linked the malware's source to a coder named Jolly Roger and the BearsInc threat group. BearsInc is not a common name among hacking squads, but it is very popular in the carding community, where it publishes regular data dumps containing credit card numbers and adjacent information.

FireEye speculates that this group is using the TreasureHunt PoS malware as the source for all those dumps.

TreasureHunt infections occur via manual hacking

Technically, at its core, the malware is not that different from other types of PoS malware. TreasureHunt can infect computers, where it adds a registry key for boot persistence and then starts scanning the computer's memory for any type of credit card information. Once this happens, the data is immediately encoded and sent to a C&C server.

FireEye says that infections with TreasureHunt don't occur via spam, as other PoS malware usually spreads, but through manual hacking, where BearsInc members are using stolen credentials for PoS terminals to place their malware on the payment terminal. Additionally, the group also uses brute-force attacks to crack into PoS terminals that use weak passwords.

As the EMV transition process has been accelerated in the US since this past October, the group seems to have intensified operations in recent months. The reason is that these PoS terminals and all the current PoS malware that comes with it will become irrelevant and useless once banks and businesses transition to the new EMV chip-based cards.