• The POS malware is being sold by cyber criminals on a crimeware forum.
  • A phishing email that includes a fake game featuring a cute cat is leveraged to distribute the malware.

A new insidious malware bent on siphoning credit-card numbers from point-of-sale (POS) systems has recently been spotted on a crimeware forum.

How was it discovered

In a blog post, Cisco Talos researchers described that the cybercriminals have released a video that comes with a set of instructions on ‘How to use the malware?’ For this, they are leveraging the phishing emails that contain a fake game featuring a cute cat. In this way, they fool the users who unknowingly download the malware by clicking on the video.

“A packer developed in Visual Basic protects this malware. It’s, on the surface, a fake game. The user interface of the main form (which is not displayed at the execution) contains various pictures of cats. The purpose of the packer is to decode a library that’s the real payload encoded with the UPX packer. Once decoded, we gain access to GlitchPOS, a memory grabber developed in Visual Basic,” wrote Cisco Talos researchers.

Following are the Payload Functions

  • Register the infected systems
  • Receive tasks (command execution in memory or on disk)
  • Exfiltrate credit card numbers from the memory of the infected system
  • Update the exclusion list of scanned processes
  • Update the “encryption” key
  • Update the User-Agent
  • Clean itself

Once the malware gets deployed in the system it connects with the C2 server to receive commands from the attackers via a shellcode and the communication is encrypted by XORed. The intended purpose of the malware is to steal the credit card numbers from the memory of the infected system.

Threat actors posted additional screenshots to boost the sale of the malware that includes clients list and the card’s date. The built malware is sold for $80, the builder $600 and gate address change for $80.

The Democratization of POS Malware

The report noted that the developer behind GlitchPOS who the researchers said is likely a threat actor known as edbitss created a video to demonstrate the POS malware’s ease of use. Though the payload is described as small and limited in functionality, it acts as a “memory grabber,” taking credit card numbers from the systems it infects and receiving tasks from a command-and-control (C&C) server, among other things.

Given the slow adoption of chip-and-PIN technology in the U.S., researchers suggested GlitchPOS might be more likely to target American credit card users. The bogus video game, meanwhile, is based on a packer built within Visual Basic that protects the POS malware from being easily identified.

Besides GlitchPOS, the researchers believe edbitss is responsible for similar threats such as the Diamond Fox Link botnet, with which it shares similarities. Less than a month after it was first marketed online, however, researchers spotted an actor known as Chameleon101 who appeared to replicate GlitchPOS and attempted to sell it on another forum at higher prices

How to Limit the Damage of POS Malware

GlitchPOS is the latest indication that the barrier to entry for stealing credit numbers is falling. For organizations in retail, hospitality and other industries in which the customer base may be at risk, the fallout can range from lost business to reputational damage, fines and more.

For any Cyber Security information contact help@theweborion.com