An experienced malware developer is hawking a new POS malware strain called GlitchPOS on crimeware forums, and even created and posted a marketing video promoting its ease of use to potential buyers.
The malware’s primary purpose is to allow a wannabe cybercriminal to set up an enterprise to steal payment card numbers from the infected system, reported Cisco Talos. In addition to the associated payloads, infrastructure and control panel, a price list was also found. The built malware is sold for $250, the builder is $600 and the gate address change is priced at $80, wrote the Talos team of Warren Mercer, Paul Rascagneres and Ben Baker.
The team also connected the actors behind GlitchPOS to those who had previously pushed the DiamondFox L!NK botnet, which is one reason the GlitchPOS team is considered experienced.
The first post referring to GlitchPOS was seen in February 2019 in a malware forum posted by an actor named “edbitss” who announced the GlitchPOS was under development. It was first spotted for sale only a few weeks ago.
“Edbitss is allegedly the developer of the DiamondFox L!NK botnet in 2015/2016 and 2017 as explained in a report by Check Point,” Talos wrote.
One amusing aspect of edbitss' efforts to make money is other cybercriminals have taken his product and started selling it for even more money, a move that ticked off some forum regulars.
The packer protecting the malware is developed in VisualBasic and comes across to the victim as a game and for some reason displays images of kittens to the target.
“The purpose of the packer is to decode a library that's the real payload encoded with the UPX packer. Once decoded, we gain access to GlitchPOS, a memory grabber developed in VisualBasic,” the Talos team said.
Once connected to the command and control server the malware can:
- Register the infected systems.
- Receive tasks (command execution in memory or on disk).
- Exfiltrate credit card numbers from the memory of the infected system.
- Update the exclusion list of scanned processes.
- Update the "encryption" key.
- Update the User Agent.
- Clean itself.
The commands are executed via based64-encoded shellcode that is sent from the server. A regular expression is used to find the credit card information, including the cardholder name, card number and expiration date. Any card content found is sent to the C2 server.