Booz Allen Cyber Intel recently obtained a sample of the point-of-sale (POS) malware GlitchPOS. The malware, which is used to extract payment card data from POS systems and is currently available for sale on a malware forum, was also recently analyzed by researchers at Cisco Talos. The Booz Allen Cyber Intel team determined the recently uncovered GlitchPOS variant is an updated version that incorporates additional functionality not present in the sample analyzed by Cisco Talos. Given the changes to the malware in recent weeks, Booz Allen assesses that GlitchPOS is likely being actively maintained and that updated variants (addressing errors and potentially incorporating additional functionality) can be expected moving forward.
Offline Mode Added to Updated Variant
The GlitchPOS sample analyzed by Booz Allen contains an offline mode and supporting code that is not present in previous versions. The integration of offline mode in the updated sample is likely a new capability. One of the benefits of adding this feature might include limiting detection of the malware by not generating network traffic. If threat actors have alternative C2 channels that appear less suspicious when accessing the targeted systems—such as valid remote desktop protocol (RDP) credentials—storing extracted payment card data locally and exfiltrating through that channel would limit the likelihood of the compromise being detected via network traffic analysis. Additionally, offline mode could also allow the targeting of systems that are not directly connected to the Internet.
Further, the offline mode isn't enabled by default; the new variant contains an option to turn on a "No-C2" mode, which prevents the malware from connecting to its C2 server. With the No-C2 mode enabled, GlitchPOS saves the scraped payment card data to a log file in the “%APPDATA%” folder. The name of the log file is the last four characters of the C2 encryption key.
Booz Allen-generated example logs in a virtual environment using simulated credit card information are shown below (Figure 1).