The source code for the TreasureHunter point-of-sale (PoS) malware has been leaked online and may result in a fresh wave of attacks against retailers.
The code, discovered and confirmed by Flashpoint researchers, has been released to the public through a Russian-speaking online forum.
The same threat actor has also leaked the malware's GPU builder and administrator panel, which when compiled, offers those without specialized knowledge the opportunity to wreak havoc on target PoS systems.
PoS malware[1], often small in size, is designed in order to target systems used in sales, including retail terminals. Once infected, malicious code will often covertly steal data -- such as credit card numbers -- and send this information to a command-and-control (C&C) server under an attacker's control.
This stolen information may then be used to create clone cards and customer records stolen from PoS terminals may also be sold on for the purposes of identity theft.
In the cases of Target[2] and Home Depot[3], for example, millions of customer records were stolen, costing both companies millions of dollars in damages alone.
On Thursday, Flashpoint said in a blog post[4] that TreasureHunter is no different.
The malware family has been on the radar since 2014. The original developer appears to be a Russian speaker with proficiency in the English language who developed TreasureHunter for the underground dump seller BearsInc.
According to a FireEye investigation[5], the malware is the work of a threat actor dubbed Jolly Roger.
TreasureHunter is a typical PoS malware variant. The malware targets Windows-based servers and PoS terminals, and