GlitchPOS Malware Now Features Offline Mode

Booz Allen Cyber Intel recently obtained a sample of the point-of-sale (POS) malware GlitchPOS. The malware, which is used to extract payment card data from POS systems and is currently available for sale on a malware forum, was also recently analyzed by researchers at  Cisco Talos. The Booz Allen Cyber Intel team determined the recently uncovered GlitchPOS variant is an updated version that incorporates additional functionality not present in the sample analyzed by Cisco Talos. Given the changes to the malware in recent weeks, Booz Allen assesses that GlitchPOS is likely being actively maintained and that updated variants (addressing errors and potentially incorporating additional functionality) can be expected moving forward.

Offline Mode Added to Updated Variant

The GlitchPOS sample analyzed by Booz Allen contains an offline mode and supporting code that is not present in previous versions. The integration of offline mode in the updated sample is likely a new capability. One of the benefits of adding this feature might include limiting detection of the malware by not generating network traffic. If threat actors have alternative C2 channels that appear less suspicious when accessing the targeted systems—such as valid remote desktop protocol (RDP) credentials—storing extracted payment card data locally and exfiltrating through that channel would limit the likelihood of the compromise being detected via network traffic analysis. Additionally, offline mode could also allow the targeting of systems that are not directly connected to the Internet.

Further, the offline mode isn't enabled by default; the new variant contains an option to turn on a "No-C2" mode, which prevents the malware from connecting to its C2 server. With the No-C2 mode enabled, GlitchPOS saves the scraped payment card data to a log file in the “%APPDATA%” folder. The name of the log file is the last four characters of the C2 encryption key.

Booz Allen-generated example logs in a virtual environment using simulated credit card information are shown below (Figure 1). 

C2 Parameter Modifications

This GlitchPOS sample also contains three network arguments that are not present previous samples. These include: "&r," "&ui," and "&g" (described below). Each of these commands relate to uninstalling, confirming an update, or downloading an additional file from the C2 server: likely these were incorporated to help users more easily manage the malware on their targeted hosts.

Configuration File Updates

The configuration file used by GlitchPOS is encrypted with RC4 and is embedded in the implant as a resource named "Y." GlitchPOS generates a decryption key based on a seed value which is obtained by taking the length of the embedded resource and applying the formula "round(cosine(sqroot(seed)),15)." This formula calculates the cosine of the square root of the seed and rounds the value to the 15th digit. However, while the sample analyzed by Cisco Talos sets the seed value equal to the size of the resource (e.g., 999 if the resource is 999 bytes), the sample analyzed by Booz Allen uses a seed value equal to the length of the string that represents the size of the resource (e.g., three if the resource is 999 bytes, or two if the resource is 99 bytes). Booz Allen Cyber Intel notes that the generation of the seed value in this way is probably a bug since this method results in many configuration resources having the same key (e.g., all resources with 10-99 bytes will have the same key, all resources with 100-999 will have the same key, etc.).

Additionally, the formatting of the configuration file appears to have been changed. While the Cisco Talos sample includes key value mappings in its configuration file, the sample analyzed by Booz Allen does not. Instead, the configuration fields are simply separated by new lines in a predefined order. It is unclear whether the removal of these mappings was intentional and if so, why.

Booz Allen sample's configuration:

Talos sample’s configuration:

Booz Allen Cyber Intel notes that when an attacker installs the GlitchPOS control panel, the panel generates a random user agent string and encryption key. The intending malware operator must send this generated user agent string and encryption key to the GlitchPOS developer, who then provides a compiled GlitchPOS payload with the user agent string hardcoded into the configuration file. Any requests to the C2 server that do not use this user agent are immediately dropped.

Behaviors/TTPs

GlitchPOS's payment card scraper extracts payment card data by iterating through all running processes (except those on a configurable whitelist), and searching through their memory space for track data—the encoded account information stored in a payment card’s magnetic strip—using a regular expression (regex). When track data is identified, GlitchPOS runs a validity check using the Luhn's algorithm to confirm the payment card data is valid. GlitchPOS also checks the expiration date and only keeps cards with an expiration date between 2019 and 2025.

GlitchPOS uses HTTP GET requests to communicate with its command-and-control (C2) server. Supported commands and associated GET parameters are detailed in the table below:

Table 1: Supported GlitchPOS C2 communications and associated GET parameters

Booz Allen Cyber Intel notes that GlitchPOS sleeps for 1 second between beacons.

All of the field values supplied with these parameters, as well as all of the data returned by the C2, are encoded using Base64. In the sample analyzed by Cisco Talos, before the values are Base64 encoded, they are first RC4 encrypted using the key from the GlitchPOS configuration file. The sample analyzed by Booz Allen does not actually use its C2 encryption key at all. It is part of the configuration for both the C2 control panel and the implant, but is never actually used. Instead, the network traffic is simply Base64 encoded. This may be an accidental omission by the author.

Considerations

Based on the four additional functions contained in the GlitchPOS sample analyzed by Booz Allen, we believe that the sample is a newer, updated variant. In addition to expanded functionality, analysis of the updated GlitchPOS samples also revealed several changes that appear to be errors or bugs. These include the omission of RC4 encryption of the network traffic and the changes to the way decryption keys are generated, both of which could cause issues for individuals purchasing and setting up GlitchPOS instances. Given these enhancements, Booz Allen expects GlitchPOS to continue to evolve and persist.

At Booz Allen our Intel allows clients to peer over the edge with creativity and imagination, because the threat actors are doing the same. Think like an attacker; that’s what the best intelligence enables. Learn more about our approach to Managed Threat Services here.