An experienced malware developer is hawking a new POS malware strain called GlitchPOS on crimeware forums, and even created and posted a marketing video promoting its ease of use to potential buyers.
The malware’s primary purpose is to allow a wannabe cybercriminal to set up an enterprise to steal payment card numbers from the infected system, reported Cisco Talos. In addition to the associated payloads, infrastructure and control panel, a price list was also found. The built malware is sold for $250, the builder is $600 and the gate address change is priced at $80, wrote the Talos team of Warren Mercer, Paul Rascagneres and Ben Baker.
also connected the actors behind GlitchPOS to those who had previously pushed the
DiamondFox L!NK botnet, which is one reason the GlitchPOS team is considered experienced.
The first post referring to GlitchPOS was seen in February 2019 in a malware forum posted by an actor named “edbitss” who announced the GlitchPOS was under development. It was first spotted for sale only a few weeks ago.
“Edbitss is allegedly the developer of the DiamondFox L!NK botnet in 2015/2016 and 2017 as explained in a report by Check Point,” Talos wrote.
One amusing aspect of edbitss’ efforts to make money is other cybercriminals have taken his product and started selling it for even more money, a move that ticked off some forum regulars.
protecting the malware is developed in VisualBasic and comes across to the
victim as a game and for some reason displays images of kittens to the target.
of the packer is to decode a library that’s the real payload encoded with the
UPX packer. Once decoded, we gain access to GlitchPOS, a memory grabber
developed in VisualBasic,” the Talos team said.
Once connected to the command and control server the malware can:
the infected systems.
tasks (command execution in memory or on disk).
credit card numbers from the memory of the infected system.
the exclusion list of scanned processes.
the “encryption” key.
the User Agent.
The commands are executed via based64-encoded shellcode that is sent from the server. A regular expression is used to find the credit card information, including the cardholder name, card number and expiration date. Any card content found is sent to the C2 server.