loader gif

New GlitchPOS malware skims credit card numbers from the memory of the infected POS systems

New GlitchPOS malware skims credit card numbers from the memory of the infected POS systems
  • The POS malware is being sold by cybercriminals on a crimeware forum.
  • Phishing email that includes a fake game featuring a cute cat is leveraged to distribute the malware.

A new malware strain has been found targeting firms in retails and hospitality sector. Dubbed as ‘GlitchPOS’, the POS malware is being sold by cybercriminals on a crimeware forum.

How was it discovered - In a blog post, Cisco Talos researchers described that the cybercriminals have released a video that comes with a set of instructions on ‘How to use the malware?’ For this, they are leveraging the phishing emails that contain a fake game featuring a cute cat. In this way, they fool the users who unknowingly download the malware by clicking on the video.

“A packer developed in VisualBasic protects this malware. It's, on the surface, a fake game. The user interface of the main form (which is not displayed at the execution) contains various pictures of cats. The purpose of the packer is to decode a library that's the real payload encoded with the UPX packer. Once decoded, we gain access to GlitchPOS, a memory grabber developed in VisualBasic,” wrote Cisco Talos researchers.

What are its capabilities - Once installed, GlitchPOS connects to a command and control (C2) server to:

  • Register the infected systems;
  • Receive tasks;
  • Exfiltrate credit card numbers from the memory of the infected system;
  • Update the exclusion list of scanned processes;
  • Update the encryption key;
  • Update the user agent;
  • Clean itself.

The commands that are received from the C2 server are executed via a shellcode.

Who is behind GlitchPOS - According to Cisco researchers, a malware author who goes by the name of Edbitss is behind the GlitchPOS. The same author is alleged to have developed the DiamondFox L!NK botnet in 205/2016 and 2017.

“The icons are the same too in both panels, as well as the infected machine list (starting with the HWID). The PHP file naming convention is similar to DiamondFox, too. The author clearly reused code from DiamondFox panel on the GlitchPOS panel,” researchers explained.

Although the malware is being marketed globally, experts claim that residents of the US are the primary target of Glitch POS.

loader gif