A new insidious malware bent on siphoning credit-card numbers from point-of-sale (PoS) systems has recently been spotted on a crimeware forum.
Researchers at Cisco Talos said in a Wednesday analysis that they discovered the malware, dubbed “GlitchPOS,” being peddled on the Dark Web for $250. The malware first appeared on Feb. 2, and researchers said they don’t know yet how many cybercriminals bought it or are using it.
“Cisco Talos recently discovered a new PoS malware that the attackers are selling on a crimeware forum,” said researchers in the post. “Our researchers also discovered the associated payloads with the malware, its infrastructure and control panel.”
GlitchPOS joins other recently developed malware targeting the retail and hospitality space, including TreasureHunter and PinkKite – a trend that’s rising given that cybercriminals look to profit from PoS systems that often represent a “soft target,” researchers said.
Malware Details
Craig Williams, director of Cisco Talos Outreach, told Threatpost that GlitchPOS stands out in part because “the software is well designed to be easy to use, which allows non-technical bad guys to run PoS botnets.”
The malware is spread via email, purporting to be a game involving “various pictures of cats.”
A packer developed in VisualBasic protects the malware, researchers said: “The purpose of the packer is to decode a library that’s the real payload, encoded with the UPX packer,” researchers said. “Once decoded, we gain access to GlitchPOS, a memory grabber developed in VisualBasic.”
The malware’s payload is small and has few functions after connecting to a command-and-control server (C2), including registering the infected systems, receiving tasks from the C2 (executed via a shellcode sent directly by the server) and exfiltrating credit-card numbers from the memory of the infected systems.
The GlitchPOS panel also includes other features provided by the seller to sweeten the malware package, including a dashboard, a “clients” list of the infected systems and a panel listing out the stolen credit-card numbers.
The pre-built malware sells for $250, while the builder goes for $600.
Seller: Not His First Malware
Researchers suspect that the seller behind GlitchPOS – who goes by the name “Edbitss” – has developed malware before.
Researchers assessed “with high confidence” that Edbitss is also the developer of the DiamondFox L!NK botnet. That modular botnet, which has been offered for sale on various underground forums since 2015/2016, gives cybercriminals the tools to launch a wide variety of attacks – from tailored espionage campaigns to credential theft campaigns and even simple DDoS attacks.
Researchers found several similarities between the DiamondFox L!NK botnet and GlitchPOS that led them to believe that the same developer is behind both.
For instance, the malware language for both is similar, and their panels contain similar images, codes, terminologies and colors. “The author clearly reused code from DiamondFox panel on the GlitchPOS panel,” said the researchers.
In another interesting twist that speaks to the popularity of PoS malware, researchers found other cybercriminals attempting to resell GlitchPOS on alternative websites at a higher price than the original.
“We also see that bad guys steal the work of each other and try to sell malware developed by other developers at a higher price,” said researchers.
POS Malware Rising In Popularity
Point-of-sale malware is becoming a rising scourge; particularly in the hospitality industry.
In January 2018, fashion retailer Forever 21 revealed that malware had sat on certain POS terminals for almost eight months in its stores, allowing hackers steal consumer credit card data from the company, and in March 2018, malware was discovered on PoS systems at more than 160 Applebee’s restaurants.
More recently, North Country Business Products (NCBP), a company that provides PoS systems and services for restaurant locations said that malware was able to scrape payment-card data from diners for about three weeks in January. NCBP’s reach is long, with partner restaurants running the gamut from Collins’ Irish Pub in Flagstaff, Ariz. To Vinyl Taco in Grand Forks, N.D.
PoS malware is typically deployed on retailers’ websites or on retail PoS sale machines.
“If they successfully obtain credit-card details, they can use either the proceeds from the sale of that information or use the credit-card data directly to obtain additional exploits and resources for other malware,” researchers said. “Point-of-sale terminals are often forgotten about in terms of segregation and can represent a soft target for attackers.”