GlitchPOS, the new point-of-sale malware actively spreading in the wild.

March 22, 2019

The SonicWall Capture Labs Threat Research Team observed reports of a new variant POS family named GlitchPOS Detected as GAV: GlitchPOS.A actively spreading in the wild.

GlitchPOS is a fake cat game which is embedded in the malware and not displayed at the time of execution. GlitchPOS typically has the capability such as scraping memory to retrieve Credit Card Data during its scan.

Contents of GlitchPOS Malware


Infection Cycle:

The Malware adds the following files to the system:

  • %Userprofile%Application Data\SearchIndexer.exe [Detected as GAV: GlitchPOS.A (Trojan)]]
  • %Userprofile%Local Settings\Temp\x.vbs

The Malware adds the following file to the startup folder to ensure persistence upon reboot:

  • %Userprofile%Start Menu\Programs\Startup\SearchIndexer.lnk

Once the computer is compromised, the malware creates a new process to maintain persistence and then launches a component to monitor for sensitive payment card data.

GlitchPOS retrieves a list of running processes; the malware is responsible for scraping the memory of current processes on the infected machine for credit card information periodically.

GlitchPOS has an exclusion list that functions to ignore certain system processes; it gathers track data by scanning the memory of all running processes except for the following List:

Once it locates payment card data, GlitchPOS makes one HTTP request to determine the infected system’s external IP address.  GlitchPOS generates a random identifier for the target machine and sends to the C&C server.

GlitchPOS uses a basic encryption and Hex encoding method to obfuscate various strings such as the shellcode, filenames, and process names to evade detection.

Once the public IP is acquired, GlitchPOS tries to verify Credit Cards numbers and then sends track 1 and track 2 credit card data in encrypted format.

GlitchPOS tries to Enumerate Credit Card data from POS Software using the Luhn algorithm and then encrypts and sent to one of the given C&C Servers.

Here is an example of Track data:

Command and Control (C&C) Traffic

GlitchPOS performs C&C communication over port 80. Requests are made on a regular basis to statically defined domains such as:

SonicWall Capture Labs provides protection against this threat via the following signature:

  • GAV: GlitchPOS.A (Trojan)