[BreachExchange] GlitchPOS – Hackers Selling a New POS Malware On Dark Web Forums

Destry Winant destry at riskbasedsecurity.com
Tue Mar 19 03:06:03 EDT 2019


Threat actors selling a new POS malware dubbed GlitchPOS aimed in
exfiltrating the credit card numbers from Point-of-sale devices and
retailers’ websites. Most of the POS devices running with Windows or
Unix, GlitchPOS malware targets the windows variants.

Security researchers from Talos discovered the distribution of the new
PoS malware that hackers selling in the dark web forums and it’s
associated payloads, infrastructure and control panel.

The malware packer developed in visual basic, disguised as a fake
game, the packer adds protection to the malware, it decodes to a
library that packed with UPX packer(ultimate packer for eXecutables).
Once the UPK packer decodes then the final malware “GlitchPOS” which
is a memory grabber that developed in VisualBasic.

Following are the Payload Functions

- Register the infected systems
- Receive tasks (command execution in memory or on disk)
- Exfiltrate credit card numbers from the memory of the infected system
- Update the exclusion list of scanned processes
- Update the “encryption” key
- Update the User Agent
- Clean itself

Once the malware gets deployed in the system it connects with the C2
server to receive commands from the attackers via a shellcode and the
communication is encrypted by XORed. The intended purpose of the
malware is to steal the credit card numbers from the memory of the
infected system.

Threat actors posted additional screenshots to boost the sale of the
malware that includes clients list and the card’s date. The built
malware is sold for $80, the builder $600 and gate address change for

Researchers believe there is a similarity between GlitchPOS and
DiamondFox L!NK botnet, they also spotted the same malware available
after 25 days in the alternativeforum with higher prices.

“The sale opened a few weeks ago, so we don’t know yet how many people
bought it or use it. We also see that bad guys steal the work of each
other and try to sell malware developed by other developers at a
higher price.”

More information about the BreachExchange mailing list