Method: TreasureHunter Point-of-Sale Malware source code leak may spawn new variants

The TreasureHunter Point-of-sale (PoS) malware has appeared to have made a return to the spotlight.  A top-tier Russian-speaking forum reportedly leaked the malware’s source code, GUI and admin panel in March 2018.  

A 2016 investigation by FireEye was able to provide a detailed analysis of the malware, which was first deployed in late 2014. Not overly complex, the malware was reported to gain access to poorly secured PoS systems via the use of stolen credentials. In brief, once the malware was installed, persistence was created through a registry ‘run’ key. This key would then run the malware at startup and would scan the device memory, going after primary account numbers, separators and service codes, among others. The harvested data was then sent to a CnC server through HTTP POST requests.

According to Flashpoint, the malware originally had a limited reach and was linked to the underground dump seller “BearsInc”. The reasons for the source code to be released in the open remain unknown, one of the possible consequences would be the spawning of PoS threats against hospitality and retail businesses. Flashpoint warns that based on previous code leaks such as the Zeus banking Trojan or the Alina malware, the leak could result in increased activity by cybercriminals exploiting the information to build their own new variant of the malicious software. As a matter of fact, underground conversations appear to be ongoing on how to improve and weaponize the leaked TreasureHunter source code. On the other hand, the code leak will provide security professionals with invaluable insight into the malware’s operations.

Proficio Threat Intelligence Recommendations:

  • Consider utilizing data loss prevention [DLP] solutions, designed to protect highly sensitive information
  • Consider employing end-to-end encryption starting from the point-of-swipe, which allows to encrypt the customers’ data throughout the whole payment process
  • Consider testing the devices and their implementation procedures, especially if put in place by third parties
  • Consider monitoring for unusual activity on the actual PoS machines

General Info – Click Here

Method: MassMiner Worm Malware

Cryptocurrency mining malware has been on the rise in 2018.  The malware has an especially nasty variant which leverages multiple exploits and hacking tools to spread. The MassMiner worm is a type of mining malware that has been observed propagating from local networks to high value targets, like Microsoft’s SQL servers, with greater mining potential.

Infected hosts attempt to spread the worm by first utilizing the MassScan tool to enumerate potential victims and subsequently running a variety of exploits which include the infamous CVE-2017-0143 EternalBlue exploit, CVE-2017-5638 Apache Struts exploit and CVE-2017-10271 WebServer exploit. MassMiner will also brute force Microsoft SQL servers by using SQLck and then once compromised will run scripts to install MassMiner.  Powershell is used in the same manner to download MassMiner to compromised Weblogic servers and a VisualBasic script is utilized to deploy the worm to compromised Apache Struts servers.

MassMiner then goes through the process of disabling numerous security features including anti-virus, to ensure persistence and evade detection.

MassMiner tactics include:

  • Copying itself to taskhost.exe and the Startup folder
  • Unauthorizing changes to the ACL to grant full access to certain files in the system
  • Disabling Windows Firewall
  • Downloading a config file to point compromised host to C&C server for further instructions

Proficio Threat Intelligence Recommendations:

  • Harden high value assets such as servers by ensuring vulnerabilities are patched by implementing the latest stable updates


General Info – Click Here

Method: Roaming Mantis Malware

Kaspersky Labs has detailed Android malware mainly targeting Chinese and Korean users. The malware is designed to steal two-factor authentication codes for Google accounts sent via SMS/MMS.

Kaspersky Labs has detailed a lot of the interesting technical elements of the malware. For example, command and control for samples analyzed were found to lookup strings of web pages hosted on legitimate sites such as and Kaspersky also believes the initial infection vector for the Android devices were compromised routers in Asia. The routers were redirecting Android devices towards malicious sites via DNS hijacking. The malware does have a component that appears to target English speaking users, but the HTML code within the malware is written in broken English. Most researchers after additional analysis have attributed this malware to cybercriminals focusing on Chinese and Korean targets.

Proficio Threat Intelligence Recommendations:

  • Do not allow users that have Android devices to bring “rooted” devices into corporate networks (rooted devices were targeted in this campaign)
  • Routers in this attack allowed attackers to perform DNS hijacking in this campaign. Monitoring corporate routers for attacks and compromise should be performed by security operations
  • SOCs (security operation centers) often detect BYOD infected cellular devices in guest networks or corporate wireless networks. Corporate IT should decide on an action (or no action) to be taken when these detections occur

General Information – Click Here

Method: PyRoMine Malware

In early April, Fortinet’s FortiGuard Labs discovered a cryptocurrency mining malware that leverages EternalRomance, a remote code execution attack, that was coined, PyRoMine. The EternalRomance exploit was initially discovered in the giant “treasure trove” that was the NSA data leak last year thanks to the ShadowBrokers.

The malware can be found in the form of a standalone executable file that, when executed, will run as a background process, silently stealing CPU resources unbeknownst to its victims. The end goal of this malware is to mine Monero for profits.

PyRoMine sets up a hidden default account on the user’s machine with system administrator privileges, using the password “P@ssw0rdf0rme,” as well as, enabling Remote Desktop Protocol which could be used in the future for re-infection and/or further attacks.

EternalRomance exploit targets SMBv1 Windows XP/Vista/8.1/7/10 and Windows Server 2003/2008/2012/2016, taking advantage of a pair of vulnerabilities, CVE-2017-0144 and CVE-2017-0145. Microsoft patched this vulnerability very quickly after the tools were made public. However, individuals and enterprises alike have been quite slow when it comes to patching the known vulnerabilities and could still be affected by this malware.

Proficio Threat Intelligence Recommendations:

  • Update Windows hosts to use SMBv2
  • Do not allow Remote Desktop Protocol Open from the internet

General Information –  Click Here

Method: Linux Malware – GoScanSSH

Researchers at Cisco Talos during an incident response engagement have identified a new malware family being used to compromise SSH servers exposed to the internet, called GoScanSSH. The malware is written in Go, a programming language created at Google in 2009. The infection methods being used were SSH brute force attacks against public facing SSH services. Once a host has been infected, it reaches out to domains over Tor2Web as part of command and control. According to Cisco Talos, the attack campaign has been ongoing for at least nine months. Something that is out of the ordinary regarding the campaign is the malware has a component, which was built in to avoid compromising certain government domains (.mil, .gov, .army, etc.).

Technical analysis of sample malware –

Proficio Threat Intelligence Recommendations:

  • Restrict public facing SSH access to only the parties who need direct access to it.
  • Use strong passwords for any type of SSH authentication open to the internet.
  • Apply tools such as Fail2Ban to mitigate the risk of brute force attacks

Method: Android Malware – RottenSys

Researchers at Check Point have identified a new type of mobile adware, called RottenSys, that has infected nearly 5 million devices since 2016. The application disguises itself as a “System Wi-Fi Service” on the Android OS and was likely inserted on the devices before they were purchased. The package has the ability to participate in advertisement activities and also has the ability to spy on many applications within the phone. The distributor that initially appears responsible for delivering the phones is Tian Pai, a Chinese based entity.

Technical analysis of application –

Proficio Threat Intelligence Recommendations:

  • Be cautious of using phones for business purposes that are from the Chinese distributors that are listed in the above article.