Booz Allen Cyber Intel recently obtained a sample of the point-of-sale (POS) malware GlitchPOS. The malware, which is used to extract payment card data from POS systems and is currently available for sale on a malware forum, was also recently analyzed by researchers at Cisco Talos. The Booz Allen Cyber Intel team determined the recently uncovered GlitchPOS variant is an updated version that incorporates additional functionality not present in the sample analyzed by Cisco Talos. Given the changes to the malware in recent weeks, Booz Allen assesses that GlitchPOS is likely being actively maintained and that updated variants (addressing errors and potentially incorporating additional functionality) can be expected moving forward.
The
Further, the offline mode isn't enabled by default; the new variant contains an option to turn on a "No-C2" mode, which prevents the malware from connecting to its C2 server. With the No-C2 mode enabled,
Booz Allen-generated example logs in a virtual environment using simulated credit card information are shown below (Figure 1).
Figure 1: Example of payment card data tracks saved to a log file when GlitchPOS operates in offline mode
This GlitchPOS sample also contains three network arguments that are not present previous samples. These include: "&r," "&ui," and "&g" (described below). Each of these commands relate to uninstalling, confirming an update, or downloading an additional file from the C2 server: likely these were incorporated to help users more easily manage the malware on their targeted hosts.
The configuration file used by GlitchPOS is encrypted with RC4 and is embedded in the implant as a resource named "Y." GlitchPOS generates a decryption key based on a seed value which is obtained by taking the length of the embedded resource and applying the formula "round(cosine(sqroot(seed)),15)." This formula calculates the cosine of the square root of the seed and rounds the value to the 15th digit. However, while the sample analyzed by Cisco Talos sets the seed value equal to the size of the resource (e.g., 999 if the resource is 999 bytes), the sample analyzed by Booz Allen uses a seed value equal to the length of the string that represents the size of the resource (e.g., three if the resource is 999 bytes, or two if the resource is 99 bytes). Booz Allen Cyber Intel notes that the generation of the seed value in this way is probably a bug since this method results in many configuration resources having the same key (e.g., all resources with 10-99 bytes will have the same key, all resources with 100-999 will have the same key, etc.).
Additionally, the formatting of the configuration file appears to have been changed. While the Cisco Talos sample includes key value mappings in its configuration file, the sample analyzed by Booz Allen does not. Instead, the configuration fields are simply separated by new lines in a predefined order. It is unclear whether the removal of these mappings was intentional and if so, why.
Booz Allen sample's configuration:
C2 |
Redacted |
|
User-Agent |
Redacted | |
Install Name |
explorer.exe |
|
Encryption Key |
Redacted |
|
Offline Mode |
False |
Talos sample’s configuration:
C2 |
{k}=http://coupondemo.dynamicinnovation.net/admin/gate.php |
|
User-Agent |
{i}=Mozilla/5.0 (Macintosh; Intel Mac OS X 10_11_3) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/49.0.2623.112 Safari/537.36 |
|
Install Name |
{f}=SearchIndexer.exe |
|
Encryption Key |
{u}=4dadb6314eeae13e8506ad235e89274a |
Booz Allen Cyber Intel notes that when an attacker installs the GlitchPOS control panel, the panel generates a random user agent string and encryption key. The intending malware operator must send this generated user agent string and encryption key to the GlitchPOS developer, who then provides a compiled GlitchPOS payload with the user agent string hardcoded into the configuration file. Any requests to the C2 server that do not use this user agent are immediately dropped.
GlitchPOS's payment card scraper extracts payment card data by iterating through all running processes (except those on a configurable whitelist), and searching through their memory space for track data—the encoded account information stored in a payment card’s magnetic strip—using a regular expression (regex). When track data is identified, GlitchPOS runs a validity check using the Luhn's algorithm to confirm the payment card data is valid. GlitchPOS also checks the expiration date and only keeps cards with an expiration date between 2019 and 2025.
GlitchPOS uses HTTP GET requests to communicate with its command-and-control (C2) server. Supported commands and associated GET parameters are detailed in the table below:
GET Parameter |
Functionality |
|
&t |
Collects information on the payment card data track |
|
&p |
Process from which the payment card data track was scraped; this parameter is always paired with the &t parameter |
|
&ped |
Bot ID number, which is generated using the format <MAC Address>$<Hostname> |
|
&r |
Requests updated process whitelist |
|
&u |
Uninstalls the malware |
|
&ui |
Confirms that the payment card scraper has been updated |
|
&f |
Downloads a file from the C2 /files directory and executes it |
|
&g |
Downloads a file from the C2 root directory and executes it; the C2 verifies that the requested file has the extension .exe |
|
&s |
Gets shellcode from C2 and executes it using the RunPE method by default to hide the shellcode in the Windows Explorer process |
Table 1: Supported GlitchPOS C2 communications and associated GET parameters
Booz Allen Cyber Intel notes that GlitchPOS sleeps for 1 second between beacons.
All of the field values supplied with these parameters, as well as all of the data returned by the C2, are encoded using Base64. In the sample analyzed by Cisco Talos, before the values are Base64 encoded, they are first RC4 encrypted using the key from the GlitchPOS configuration file. The sample analyzed by Booz Allen does not actually use its C2 encryption key at all. It is part of the configuration for both the C2 control panel and the implant, but is never actually used. Instead, the network traffic is simply Base64 encoded. This may be an accidental omission by the author.
Based on the four additional functions contained in the GlitchPOS sample analyzed by Booz Allen, we believe that the sample is a newer, updated variant. In addition to expanded functionality, analysis of the updated GlitchPOS samples also revealed several changes that appear to be errors or bugs. These include the omission of RC4 encryption of the network traffic and the changes to the way decryption keys are generated, both of which could cause issues for individuals purchasing and setting up GlitchPOS instances. Given these enhancements, Booz Allen expects GlitchPOS to continue to evolve and persist.
At Booz Allen our Intel allows clients to peer over the edge with creativity and imagination, because the threat actors are doing the same. Think like an attacker; that’s what the best intelligence enables. Learn more about our approach to Managed Threat Services here.
