Home Malware Programs Malware GlitchPOS

GlitchPOS

Posted: March 18, 2019

GlitchPOS is a Point-of-Sale Trojan – a form of spyware that collects credit card details from businesses' transaction-processing machines. GlitchPOS uses packing and misleading internal data for disguising itself from any security solutions but shows no substantial symptoms while it's working actively. Let your anti-malware tools monitor the system for changes and remove GlitchPOS as appropriate; meanwhile, customers with suspected data breaches should cancel their cards ASAP.

Point-of-Sale Problems Making a Return

The threat actor previously involved in running the DiamondFox botnet is switching to a new threatening software type: a dedicated Point-of-Sale Trojan. His product, GlitchPOS, recycles some of the user interface of the previous botnet but none of its PoS features and is an independent work effectively. Besides having the option of running his private campaigns for collecting transaction information, the author, 'Edbitss,' is selling out various options for the Trojan to other criminals on Black Hat software websites.

The GlitchPOS's installer uses UPX packing and an internal function implying that it's a simple game (which never appears for the user, post-installation) for its anti-security software defenses. The Windows Trojan will, once it's active, scrape memory for credit card details that it can upload to the threat actor, who monitors the situation and sends commands through a control panel. While malware experts are noting that GlitchPOS's payload scope is narrow, the program includes the traditional, useful features, such as the XOR encryption for its C&C communications, optional updating of various parameters like what processes it excludes, and a self-uninstaller.

GlitchPOS's current business model is depending on criminals who buy either a prebuilt variant of the spyware or (for a higher price) the Trojan-making toolkit and distributing it to new targets at their pleasure. This mode of operation, not too different from the Ransomware-as-a-Service or RaaS industry, leaves many infection strategies open to possible abuse. Businesses should install appropriate security solutions and monitor physical access to PoS machines while maintaining strict guidelines regarding e-mail interactions for workplace addresses.

A Glitch in this Spyware's Business Model

GlitchPOS is too new to have much of a claim to fame, but its history is collecting an odd point of data: the attempted theft of the brand from Edbitss by another criminal. The second individual is selling GlitchPOS, using the same options at higher prices, on similar forums in the underground Trojan. Whether this threat actor bought GlitchPOS or gained access to its code in another way isn't knowable yet, but it could do more to help the product's circulation, along with showing that there's no honor among thieves.

Customers who are affected by GlitchPOS will have no signs of the compromise until the threat actors begin abusing the data or selling it to third parties for doing the same. Businesses should, however, notify their customers of security breaches and recommend canceling all exposed cards immediately, and doing rollbacks on any fraudulent charges, if pertinent. Traditional anti-malware tools should remain appropriate for blocking the installation of the threat or removing GlitchPOS after the install routine, although its payload has little relevance to home PC users.

Point-of-Sale Trojans are not as numerous as in past years and are forgotten about next to more bombastic threats readily, like Trojans wielding encryption for ransoming files. Down isn't out, however, and GlitchPOS is a clear showing that businesses need to maintain a reasonable minimum of security.

Loading...