TreasureHunter

TreasureHunter is an oldie, but even though it is old, that does not mean that we should forget about it. The infection itself makes sure that we cannot forget about it. It has been active since at least 2014, and in 2018, its source code was leaked, which opened opportunity for malware creators everywhere to exploit the code and create new variants. Unfortunately, this malware is extremely vicious, as it was primarily built to steal credit card numbers and, according to our research team, passwords too. The good news is that this kind of malware is not impossible to get rid of. In fact, a few simple steps might be enough to remove TreasureHunter successfully. That being said, not every victim might be capable of deleting the threat manually, and that is okay. To learn more about the infection and ways to get rid of it, please continue reading, and do not forget to post a comment below if you wish to continue the discussion.

The malicious TreasureHunter is known as POS malware. Let’s decode that. POS stands for point-of-sale, and that refers to the time and place a retain transaction is made. POS malware is malicious point-of-sale software that cyber criminals employ to target weak systems. If malware is executed successfully, the information that comes from payment cards is recorded and stolen. To drop TreasureHunter, attackers are likely to use vulnerable remote desktop protocol (RDP) servers by brute-forcing them. After execution, the infection is added to the system’s Startup to ensure successful start. That means that if the victim of the threat restarts the infected computer, the threat will revive anew. You can find the startup entry in Windows Registry at HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run. The name of the value should be “jucheck,” and you should have no reservations about deleting it. This value is linked to a malicious file that the Trojan operates from. You should find this file in a folder with a random name in the %APPDATA% directory. The manual removal guide below shows how to delete both of these components.

If you do not delete TreasureHunter right away, it starts enumerating running processes. It is set to automatically ignore processes that contain “System33,” “SysWOW64,” and “\Windows\explorer.exe” strings in their names. The infection then scans the system’s memory to check for information revealing payment card data. Once payment card numbers are recorded, they are sent to a remote C&C server, and we cannot really say which server the data would be sent to because even the original TreasureHunter had tons of different servers in use, and new variants would, of course, use new ones. Without a doubt, if cyber criminals obtain sensitive payment card data, they could potentially perform identity theft. If the infection ran as expected, it should store encoded configuration data in the %USERPROFILE%\ntuser.ini file, and it should only affect systems running Windows XP. Needless to say, fewer and fewer Windows users are using this version, and that makes the circle of attackers’ victims smaller too. That being said, we cannot predict that the same kind of technology could not cross over to other operating systems, which is why, besides discussing the removal of malware, it is also important to talk about security.

POS malware is very serious because it can affect the credibility of a service. Hopefully, your point of sale has not been hit by this malware, but if it has, you need to take appropriate security measures. First and foremost, it is necessary to delete TreasureHunter, which you can do using the guide below or using anti-malware software. While we cannot predict whether or not all victims will successfully remove the threat manually, we are sure that the right anti-malware software will successfully clean the operating system. You can feed two birds with one scone using this software because while in your situation it might be most useful for automatically erasing threats, it also can produce full-time protection, without which your system will remain vulnerable to dangerous malware. Hopefully, we have answered your questions about TreasureHunter and ways to handle it, but if you want to keep discussing this threat, the comments section is open, and we are ready to help you out.

TreasureHunter Removal

1. Tap Win+R keys to launch RUN and enter regedit into the dialog area to launch Registry Editor.
2. Navigate to HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run.
3. Right-click the value named jucheck and choose Modify to find the location of the malicious .exe file.
4. Click OK, then right-click the same value, and choose Delete.
5. Exit Registry Editor and then tap Win+E keys to launch Windows Explorer.
6. Enter %APPDATA% into the field at the top to access the directory.
7. Identify the folder created by the Trojan (should contain jucheck.exe file), right-click it, and choose Delete.
8. Enter %USERPROFILE% into the field at the top to access the directory.
9. Right-click the file named ntuser.ini and click Delete.
10. Exit Windows Explorer and then Empty Recycle Bin.
11. Install a reputable malware scanner and then perform a full system scan to make sure your PC is clean.