GlitchPOS: New PoS Malware For Sale

upnorth

upnorth

Moderator
Thread author
Verified
Staff Member
Malware Hunter
Well-known
Jul 27, 2015
5,459
Content source
https://blog.talosintelligence.com/2019/03/glitchpos-new-pos-malware-for-sale.html
Point-of-sale malware is popular among attackers, as it usually leads to them obtaining credit card numbers and immediately use that information for financial gain. This type of malware is generally deployed on retailers' websites and retail point-of-sale locations with the goal of tracking customers' payment information. If they successfully obtain credit card details, they can use either the proceeds from the sale of that information or use the credit card data directly to obtain additional exploits and resources for other malware. Point-of-sale terminals are often forgotten about in terms of segregation and can represent a soft target for attackers. Cisco Talos recently discovered a new PoS malware that the attackers are selling on a crimeware forum. Our researchers also discovered the associated payloads with the malware, its infrastructure and control panel. We assess with high confidence that this is not the first malware developed by this actor. A few years ago, they were also pushing the DiamondFox L!NK botnet. Known as "GlitchPOS," this malware is also being distributed on alternative websites at a higher price than the original.
Click to expand...
A packer developed in VisualBasic protects this malware. It's, on the surface, a fake game. The user interface of the main form (which is not displayed at the execution) contains various pictures of cats:
image13.png
The purpose of the packer is to decode a library that's the real payload encoded with the UPX packer. Once decoded, we gain access to GlitchPOS, a memory grabber developed in VisualBasic.

The payload is small and contains only a few functions. It can connect to a command and control (C2) server to:
  • Register the infected systems
  • Receive tasks (command execution in memory or on disk)
  • Exfiltrate credit card numbers from the memory of the infected system
  • Update the exclusion list of scanned processes
  • Update the "encryption" key
  • Update the User Agent
  • Clean itself
Click to expand...
GlitchPOS Samples :

ed043ff67cc28e67ba36566c340090a19e5bf87c6092d418ff0fd3759fb661ab (SHA256)
abfadb6686459f69a92ede367a2713fc2a1289ebe0c8596964682e4334cee553 (SHA256)
Click to expand...
 
  • Like
Reactions: silversurfer, Andy Ful, LASER_oneXM and 2 others
You must log in or register to reply here.

Similar threads

silversurfer
    • Like
    • +Reputation
PoS malware can block contactless payments to steal credit cards
Replies
0
Views
443
News Archive
silversurfer
silversurfer
silversurfer
    • Like
    • +Reputation
QwixxRAT: New Remote Access Trojan Emerges via Telegram and Discord
Replies
2
Views
1,431
News Archive
Xeno1234
Xeno1234
Gandalf_The_Grey
    • Wow
    • Like
    • Applause
Air Europa data breach: Customers warned to cancel credit cards
Replies
0
Views
1,134
News Archive
Gandalf_The_Grey
Gandalf_The_Grey

About us

  • MalwareTips is a community-driven platform providing the latest information and resources on malware and cyber threats. Our team of experienced professionals and passionate volunteers work to keep the internet safe and secure. We provide accurate, up-to-date information and strive to build a strong and supportive community dedicated to cybersecurity.

Quick Navigation

Forum Rules Warning System Welcome Guide Two-factor Authentication

User Menu

Login

Follow us

Follow us on Facebook or Twitter to know first about the latest cybersecurity incidents and malware threats.

Top