Close
Josh Lefkowitz
Chief Executive Officer
Josh Lefkowitz executes the company’s strategic vision to empower organizations with Business Risk Intelligence (BRI). He has worked extensively with authorities to track and analyze terrorist groups. Mr. Lefkowitz also served as a consultant to the FBI’s senior management team and worked for a top tier, global investment bank. Mr. Lefkowitz holds an MBA from Harvard University and a BA from Williams College.
Evan Kohlmann
Chief Innovation Officer
Evan Kohlmann focuses on product innovation at Flashpoint where he leverages fifteen years’ experience tracking Al-Qaida, ISIS, and other terrorist groups. He has consulted for the US Department of Defense, the US Department of Justice, the Australian Federal Police, and Scotland Yard’s Counter Terrorism Command, among others. Mr. Kohlmann holds a JD from the Univ. of Pennsylvania Law School and a BSFS in International Politics from the Walsh School of Foreign Service at Georgetown Univ.
Josh Devon
Chief Operating Officer / Chief Product Officer
Josh Devon focuses on product vision and strategy at Flashpoint while ensuring the company’s departments function synergistically during its rapid growth. He also works to ensure that customers receive best in class products, services, and support. Previously, Mr. Devon co-founded the SITE Intelligence Group where he served as Assistant Director. He holds an MA from SAIS at Johns Hopkins Univ. At the Univ. of Pennsylvania, he received a BS in Economics from the Wharton School and a BA in English from the College of Arts and Sciences.
Chris Camacho
Chief Strategy Officer
Chris Camacho leads the company’s sales and client engagement & development teams, which also includes customer success, solution architecture, business development, strategic integrations, and the FPCollab sharing community. With over 15 years of cybersecurity leadership experience, he has spearheaded initiatives across Operational Strategy, Incident Response, Threat Management, and Security Operations to ensure cyber risk postures align with business goals. Most recently as a Senior Vice President of Information Security at Bank of America, Mr. Camacho was responsible for overseeing the Threat Management Program. An entrepreneur, Mr. Camacho also serves as CEO for NinjaJobs: a career-matching community for elite cybersecurity talent. He has a BS in Decision Sciences & Management of Information Systems from George Mason University.
Lisa Iadanza
Chief People Officer
Lisa M. Iadanza leads all functional areas of People Operations at Flashpoint, including human resources, talent acquisition & management, employee engagement, and developing high performance teams. In addition to collaborating with the executive team to drive strategic growth, she plays an integral role in fostering Flashpoint’s culture and mission. Driven by her passions for mentorship, employee advocacy, and talent development, Ms. Iadanza has more than twenty years of experience in building, scaling, and leading human resources functions. Prior to Flashpoint, she held leadership roles at Conde Nast, Terra Technology, and FreeWheel. She is a member of the Society for Human Resources Management (SHRM) and holds a bachelor’s degree in management with concentrations in human resources and marketing from State University of New York at Binghamton.
Donald Saelinger
President
Donald Saelinger is responsible for driving strategic and operational initiatives to accelerate Flashpoint’s growth and scale. In this role, Donald leads a broad portfolio including Marketing, Customer Success, Revenue Operations, Legal and related functions, and is focused on helping the company execute on a go-to-market approach that maximizes value to our customers. Prior to Flashpoint, Donald served as Chief Operating Officer and General Counsel of Endgame, Inc., an endpoint detection and response company acquired by Elastic N.V. in 2019, and where he led a range of teams focused on growth, scale, and legal and compliance matters. Donald also previously served as the General Counsel and Chief Compliance Officer at Opower, Inc. (NYSE: OPWR), a global provider of SaaS solutions to electric and gas utilities that was acquired by Oracle, Inc. in 2016. Donald graduated from Columbia University in 2000 and received his JD from the Georgetown University Law Center in 2006.
Rob Reznick
SVP of Finance and Corporate Development
Rob Reznick leads the finance, accounting, and corporate development teams at Flashpoint. Rob previously served as Director of Finance & Accounting for 1010data (acquired by Advance/Newhouse), and Director of Finance for Financial Guard (acquired by Legg Mason) after prior work in forensic accounting and dispute consulting. Mr. Reznick is a Certified Public Accountant and holds an MBA and MAcc from the Fisher College of Business at the Ohio State University, and a BBA from the Ross School of Business at the University of Michigan.
Tom Hofmann
SVP Intelligence
Tom Hofmann leads the intelligence directorate that is responsible for the collection, analysis, production, and dissemination of Deep and Dark Web data. He works closely with clients to prioritize their intelligence requirements and ensures internal Flashpoint operations are aligned to those needs. Mr. Hofmann has been at the forefront of cyber intelligence operations in the commercial, government, and military sectors, and is renowned for his ability to drive effective intelligence operations to support offensive and defensive network operations.
Jake Wells
SVP Solutions Architecture
Jake Wells leads strategic integrations and information sharing as part of the client engagement & development team, which serves as an internal advocate for our government and commercial clients to ensure Flashpoint’s intelligence solutions meet their evolving needs. He leverages a decade of experience running cyber and counterterrorism investigations, most recently with the NYPD Intelligence Bureau, to maximize the value customers generate from our products and services. Mr. Wells holds an MA from Columbia University and a BA from Emory University.
Brian Brown
SVP Business Development
Brian Brown is responsible for the overall direction of strategic sales and development supporting Flashpoint’s largest clients. In his role, Mr. Brown focuses on designing and executing growth-oriented sales penetration strategies across multiple vertical markets, including both Government and Commercial, supporting Flashpoint’s Sales and Business Development Teams. An experienced entrepreneur, Mr. Brown also serves as CSO for NinjaJobs, a private community created to match elite cybersecurity talent with top tier global jobs and also advise growth-stage cybersecurity companies.
Justin Rogers
VP Marketing and Revenue Operations
Justin Rogers leads the Marketing and Revenue Operations teams at Flashpoint, aligning marketing, sales, partnerships, and customer success across vision, planning, process, and goals. He leverages over 15 years of experience in security, strategy, product design, and implementation to drive growth, provide an end-to-end view of the customer journey, and a seamless customer experience. Recently, Justin led Marketing for Centripetal, bringing the first Threat Intelligence Gateway to market. Previously, he managed operations of a Counter IED lab electronics forensics division while forward deployed in support of Operation Iraqi Freedom and Operation Enduring Freedom in Afghanistan. Justin holds a BS in Electrical Engineering from the University of New Hampshire.
Peter Partyka
VP Engineering
Peter Partyka leads Flashpoint’s engineering teams. Peter previously worked in the quantitative hedge fund space in New York City, implementing security and administrative solutions around proprietary trading platforms, high-availability cloud deployments, and hardening of applications and infrastructure. Peter leverages more than 16 years of experience in technology specializing in application security, red-teaming, penetration testing, exploit development, as well as blue-teaming. Peter has a long track record of managing tech teams and implementing engineering security best practices. Recently Peter led Flashpoint toward GDPR and CCPA compliance and has been a key architect of Flashpoint’s robust compliance programs. Peter has taught advanced cybersecurity courses at New York University and consulted at various tech startups during his career.
Matthew Howell
VP of Product
Matthew Howell leads the Product Management and Product Marketing teams for Flashpoint. He is responsible for developing a strong team that drives product adoption and user engagement through outcome based prioritization, continuous process improvement, and metrics driven development. Matthew brings a passion for diverse ideas, experience launching B2B SaaS products, building integration ecosystems, supporting five 9s SLAs, and leading distributed teams. He holds a bachelor’s degree in computer science from the University of Virginia
Glenn Lemons
Executive Director, Strategic Accounts Engagement
Glenn Lemons is Executive Director, Strategic Accounts Engagement at Flashpoint. He previously served as the acting Director of Citigroup's Cyber Intelligence Center where he was responsible for analyzing and reacting to intelligence from a variety of threats. These threats ranged from fraudulent activity and attempting to defraud Citi's clients to supporting security operations for the firm's worldwide network presence. He has extensive experience working with multiple clients across the financial services, manufacturing, healthcare, and public sectors. Glenn also has more than 26 years of intelligence experience within the operational and support communities in the U.S. military and federal civilian service; seven of which focused on both defensive and offensive cyber operations. While working for the U.S. Department of Homeland Security, he testified numerous times before U.S. Congressional committees and member requested open and closed sessions.
Close
Steve Leightell
Steve started his career in Internet sales in the early 1990s and was always a top sales rep before transitioning to business development. By the early 2000s, he was the Director of Business Development at DWL, where he managed a team that built partnerships with Accenture, Oracle, Tata Consulting, Wipro, Cognizant and IBM. Steve designed the channel and strategy that ultimately culminated in the acquisition of DWL by IBM in 2005. He went on to lead a global team within IBM that was responsible for major system integrator partnerships. In 2008, he left IBM to found a niche consulting firm focused on business development for SaaS organizations. Steve holds a BA in anthropology and sociology from Carleton University in Ottawa.
Ellie Wheeler
Ellie Wheeler is a Partner at Greycroft and is based in the firm’s New York office. Prior to joining Greycroft, Ellie worked in a similar role evaluating investment opportunities at Lowercase Capital. Ellie also worked at Cisco in Corporate Development doing acquisitions, investments, and strategy within the unified communications, enterprise software, mobile, and video sectors. While at Cisco, she was involved in multiple acquisitions and investments, including PostPath, Jabber, Xobni, and Tandberg. She began her career in growth capital private equity at Summit Partners in Boston. Ellie graduated magna cum laude from Georgetown University with a BA in Psychology and holds an MBA from Harvard Business School.
Glenn McGonnigle
Glenn McGonnigle is a General Partner at TechOperators. Prior to launching TechOperators in 2008, Glenn was CEO of VistaScape Security Systems, a venture-backed provider of enterprise intelligent video surveillance software. He lead the company through its successful sale to Siemens Building Technologies. Previously, Glenn was a co-founder and senior executive of Atlanta-based Internet Security Systems (ISS) where he helped raise initial venture capital and launch the business. For 7 years, he led the business development team in developing sales channels and entering the managed security services market. During his tenure, the company grew from startup to revenues of over $225 million and was later acquired by IBM for $1.3 billion.
Brendan Hannigan
Brendan joined Polaris Partners in 2016 as an entrepreneur partner. In this role, he focuses on funding and founding companies in the technology sector with a concentration in cloud, analytics, and cybersecurity. Brendan is a co-founder of Sonrai Security and chairman of Twistlock, both Polaris investments. He also currently serves on the board of Bitsight Technologies and Flashpoint. A 25 year technology industry veteran, Brendan was most recently the general manager of IBM Security. Under Brendan’s leadership, IBM Security grew significantly faster than the overall security market to become the number one enterprise security provider in the world with almost $2B of annual revenue.
Matt Devost
Currently, Devost serves as CEO & Co-Founder of OODA LLC as well as a review board member for Black Hat. In 2010, he co-founded the cybersecurity consultancy FusionX LLC which was acquired by Accenture in August 2015, where he went on to lead Accenture's Global Cyber Defense practice. Devost also founded the Terrorism Research Center in 1996 where he served as President and CEO until November 2008 and held founding or leadership roles at iDefense, iSIGHT Partners, Total Intel, SDI, Tulco Holdings, and Technical Defense.
image/svg+xml image/svg+xml
Flashpoint Acquires CRFT to Bring No-Code Automation to Threat Intelligence

TreasureHunter Point-of-Sale Malware and Builder Source Code Leaked

Blog
May 10, 2018

The source code for a longstanding point-of-sale (PoS) malware family called TreasureHunter has been leaked on a top-tier Russian-speaking forum. Compounding the issue is the coinciding leak by the same actor of the source code for the malware’s graphical user interface builder and administrator panel.

The availability of both code bases lowers the barrier for entry for cybercriminals wishing to capitalize on the leaks to build their own variants of the PoS malware.

Point-of-sale malware has been at the root of many breaches, including massive thefts at retailers Target in 2013 and Home Depot in 2014; in each case attackers were able to extract more than 100 million payment card and customer records from point-of-sale terminals by scraping card data before it was encrypted and sent to the payment processor.

Industry Collaboration on Detection and Prevention

TreasureHunter has been known and investigated since 2014, but until now investigators have had to reverse-engineer its code in order to analyze it. Now with the full code available, analysts have previously unseen insight into the malware’s operation. Flashpoint analysts, who discovered the source code leak in March, proactively collaborated with researchers at Cisco Talos, who reviewed and improved protections, and advanced-detection mechanisms, in an effort to disrupt potential copycats who may have their hands on the source code.

In the meantime, Russian-speaking cybercriminals have been observed on the vetted underground discussing improvements and weaponization of the leaked TreasureHunter source code. Notably, the original developer appears to be a Russian speaker who is proficient in English. Originally, this malware appears to have been developed for the notorious underground shop dump seller “BearsInc,” who maintained presence on various low-tier and mid-tier hacking and carding communities (below is a graphical representation of such an operation on the Deep & Dark Web). It’s unknown why the source code was leaked at this time.

A graphical representation of a typical cybercrime dump shop ecosystem.
Image 1: A graphical representation of a typical cybercrime dump shop ecosystem.

One Leak Can Spawn Many Variants

TreasureHunter behaves like many other point-of-sale malware samples. Once an attacker has access to a Windows-based server and the point-of-sale terminal, the malware is installed and it establishes persistence by creating a registry key that runs the malware at startup. It then enumerates running processes, and scans device memory looking for track data, including primary account numbers (PANs), separators, service codes, and more. It then establishes a connection with the attacker’s command and control server and sends the stolen data to the criminal.

The leak of the builder adds another dimension to the availability of the TreasureHunter payload and configurations. In the past, malware source code leaks such as the Zeus banking Trojan have spawned numerous variants, including Citadel, which cost organizations hundreds of millions in losses. PoS malware leaks have had similar effects, most notably with the 2015 leak of the Alina malware which led to the creation of the ProPoS and Katrina variants. The actor behind the TreasureHunter leak said:

“Besides alina, vskimmer and other sniffers, Treasure Hunter still sniffs ( not at a very high rate, but it still does ) and besides that , since now you have the source code, it can be update anytime for your own needs.”

For researchers, the availability of the source code opens the door into new avenues of analysis and proactive visibility into such activity on the underground. This affords organizations such as Flashpoint the ability to collaborate with others in the industry such as Cisco Talos in this case to improve existing protections and force attackers back to the drawing board.

Source-Code Level Insight

The code project appears to be called internally trhutt34C, and was written in pure C with no C++ features. It was compiled originally in Visual Studio 2013 on Windows XP. Based on analysis, researchers believe the developer intended to improve and redesign various features including anti-debugging, code structure improvement, and gate communication logic. With the goal of additional features to be improved, the developer hoped frustrate malware analysis and subsequent research; the actor left behind a note that said: “We want the malware researchers screamin’!”

A snapshot of the TreasureHunter source code.
Image 2: A snapshot of the TreasureHunter source code.

The unfinished project included continued improvement code snippets, below:

  • TO DO for the next version of the client (0.2 Beta):
    • Replace all Unicode versions of functions with ANSI versions. Now why did I ever go for wide-char in the first place?..
  • Improve the code structure:
    • Replace all the if – else constructs that are rendered needless by return commands;
    • Organize the includes;
    • Give the code proper commenting so that I am able to modify and improve it after not having seen it for some time (if such a thing happens).
    • Make scan exceptions and service codes configurable.
    • Add the following commands to the gate communication logic:
    • Download and execute for updating;
    • Remote CMD command execution;
    • Remote self-removal for emergency cases.
    • Add anti-debugging:
      • Use self-debugging by creating a child process (may be improved later by reversing the tables);
      • Improve the MD5 function and use it to find debuggers by signatures (maybe to be added in future versions);
      • Use GetTickCount to detect parts of code being stepped through (maybe to be added in a “heuristical” joint algorithm with the abovementioned);
      • Upon finding a debugger, destroy the critical section and/or start creating new threads infinitely until the application crashes.
      • Maybe also kill processes and delete debuggers and/or decompilers permanently. We want the malware researchers screamin’!
  • Add better persistency and timeouts to gate communication.
  • Add local saving of data if the gate can’t be reached for a certain period of time.
  • Add the option to run the program as a service on Windows XP.
  • Improve the code structure and add comments to avoid future confusion.
  • Add error handling and backup restart in case of crash or heap overflow (malloc fail).
  • Improve the Clingfish system (so that a clingfish thread doesn’t do the same thing as the main thread right after being spawned).
  • Debug the system information extraction mechanism further (on different OS versions).
  • Improve the track-finding algorithm to make it faster.

 

The stolen dump structure is as follows. The structure contains the following key elements used to collect and operate with stolen dumps, such as unique machine information and where scraped data is from:

typedef struct dumpsHolder {
            TCHAR *lpFileName;
            int lpFileNameLength;
            int procID;
            char *trackArr;
            int trackArrLength;
} dumpsHolder;

The credit card process scan works in exception mode:

char *scanExceptions[SCANEXCEPTIONSNUM] = {“System32”, “SysWOW64”, “\\Windows\\explorer.exe”};

The malware focuses on scraping credit card track data, focusing on the following service codes:

char *serviceCodes[SERVICECODESNUM] = {“101”, “201”, “121”, “231”, “221”, “110”};

Registry persistence for autostart in HKLM\Microsoft\Windows\CurrentVersion\Run runs as “jucheck.”

A registry key created by the malware for persistence
Image 3: A registry key created by the malware for persistence.

The source code is consistent with the various samples that have been seen in the wild over the last few years. TreasureHunter\config.h shows definite signs of modification over the lifespan of the malware. Early samples filled all of the configurable fields with FIELDNAME_PLACEHOLDER to be overwritten by the builder. More recent samples, and the source code, instead writes useful config values directly into the fields. This makes the samples slightly smaller and uses fresh compiles to create reconfigured files.

Coverage and Detection with Cisco Talos

Coverage provided by Cisco Talos already exists in Cisco FirePower and AMP solutions. It is being provided here:

Cisco Threat Mitigation & Advanced Coverage:
 
Snort Ruleset Identifier (available via Snort[.]org):

Snort Identifier: 29884,38573, 38574
 
ClamAV Signatures (available via ClamAV[.]net)

signatures: Win.Trojan.TreasureHunter
avatar

Vitali Kremez

Director of Research

Vitali Kremez is a Director of Research at Flashpoint. He oversees analyst collection efforts and leads a technical team that specializes in researching and investigating complex cyber attacks, network intrusions, data breaches, and hacking incidents. Vitali is a strong believer in responsible disclosure and has helped enterprises and government agencies deliver indictments of many high-profile investigations involving data breaches, network intrusions, ransomware, computer hacking, intellectual property theft, credit card fraud, money laundering, and identity theft. Previously, Vitali enjoyed a rewarding career as a Cybercrime Investigative Analyst for the New York County District Attorney’s Office.
He has earned the majority of certifications available in the information technology, information security, digital forensics, and fraud intelligence fields. A renowned expert, speaker, blogger, and columnist, Vitali has contributed articles to Dark Reading, BusinessReview, and Infosecurity Magazine and is a frequent commentator on cybercrime, hacking incidents, policy, and security.

Flashpoint Intelligence Brief

Subscribe to our newsletter to stay up-to-date on our latest research, news, and events