The Awakening of PoS Malware (or, has it really been dormant?)
The peak of activity of Point-of-Sale (PoS) malware was in late 2013 (with the disclosure of the notorious Target breach), and over the course of 2014, when we witnessed the development and trade of new PoS malware strains. The vigorous discussions on hacking communities at the time, has led hackers to believe PoS malware would ensure them an easy profit. However, as time passed, the volume of such discussions decreased and cybercriminals apparently turned to more promising fields of activity, such as mining cryptocurrency and stealing crypto wallets. From time to time, we observed discussions pertaining to POS devices, largely focused around two main subjects:
- Trade and sharing of old and known PoS malware samples or source codes, which are neither sophisticated nor efficient in large-scale attacks, for example Alina or Dexter.
- Installation of fake, offline PoS terminals in physical locations to steal credit card data of customers who physically purchased there. This type of activity is considered risky since it requires physical access to the terminal and cooperation from additional crooks involved.
Based on these findings, combined with the lack of recent security reports on new PoS malware, one may conclude that attacks on PoS devices are becoming rare and less popular among cybercriminals. Nevertheless, recent evidence from the wild, points that new PoS malware strains have been developed, and attacks on PoS devices have never ceased.
Volume of discussions mentioning PoS over the course of the past two years. It is evident that it the subject still gains a great deal of popularity
The continuation of Dark Web discussions dedicated to PoS malware, was lately also reflected in cyber security media, with reports about the discovery of two new PoS malware strains. The appearance of new PoS malware strains is relevant and concerning not only for retailers, who are naturally the primary victims of this malicious activity, but also for banks and other financial institutions that issue credit and debit cards, as it will be their cards’ details that will be stolen en masse, in the case of a successful remote infection by PoS malware on large retail websites.
In this post we review two POS malwares that have recently caught the public eye, with input from our research team.
1. GlitchPOS – the new PoS malware, was developed from scratch
GlitchPOS malware gained publicity after a blog post by Talos was published on March 13, 2019. However, as we regularly follow malware trade on underground forums, our researchers have first seen it pop up for sale in mid-February 2019.
According to the analysis of security researchers who obtained the malware samples, it is protected by a VisualBasic packer disguised as a game. The packer decodes the real GlitchPOS payload, written in VisualBasic as well. Additionally, it appears the malware’s code was not modified from a leaked source code of an old malware, but was developed from scratch.
GlitchPOS is a small-sized memory grabber with a limited set of functions, which it performs when communicating with the C&C server, such as exfiltrating credit card numbers from the memory of the infected systems, updating the exclusion list of the scanned processes to avoid detection, and receiving commands from the C&C server in memory or on the disk. Of note, communication between the malware and the C&C server is not encrypted.
A threat actor dubbed edbitss launched the sale of GlitchPOS on a prominent Russian-language forum on February 11, 2019, explaining his product is a RAM scrapper with certain loader capabilities. According to the sales post, the price is US$ 250 for a malware build and US$ 600 for a builder that will create an unlimited number of stubs for the buyer’s use. At some point, after five copies of the malware were allegedly purchased, the seller raised the price of the build to US$ 500, but then reverted it to the original price.
The original GlitchPOS sales thread. Source: Verint DarkAlert
The post content indicates that since the initial publication, the malware is constantly being updated according to the buyers’ comments, as it contains a “changelog” section.
After some complaints were registered regarding the malware, including a backdoor that allows the seller to steal the cards before they are monetized by the malware operators, the forum administrator received from the seller samples of the malware and in the coming days, he will publish his verdict regarding the legitimacy and capabilities of GlitchPOS. If authenticated, GlitchPOS will likely become extremely popular and will be in high demand among cybercriminals, being the first successful PoS malware in recent years.
Of note, GlitchPOS quickly spread to other underground forums, both in the Russian and the English, indicating its potential is high. While some of the publishers appear to be legitimate resellers, other seem to be scammers attempting to sell the malware for a higher price than the original.
2. DMSniff POS – the “new” PoS malware has been active for over 4 years
According to recent reports that have made this malware publicly known, the DMSniff POS malware appears to have remained undiscovered for at least four years (perhaps even more, according to our research team), and has been actively used by threat actors since at least 2015. Until now, this malware was spotted in breaches of small and medium-sized businesses in the restaurant and entertainment industries. It employs a technique rarely seen in PoS attacks – the Domain Generation Algorithm (DGA), which allows it to create changing lists of command-and-control domains if the old ones are taken down. Thus, the malware can still communicate with the servers and continue its activity.
DMSniff POS can gain an initial foothold on POS devices either by using brute-force attacks against SSH connections, or by detecting existing vulnerabilities in the POS network and exploiting them. The latter vector is particularly simple, since like many other firmware devices, POS terminals tend to be inadequately secured and are frequently out of date.
Once the malware is installed, its purpose is to extract credit card Track 1 and Track 2 data from the targeted system’s memory. The malware also contains a predefined list of processes, to avoid in the process tree. Once credit card data is discovered, the card data (including some of the surrounding memory) is packaged and sent to the C&C. After that, the stolen data is deleted from the malware’s administration panel.
Our research team monitoring cybercriminal activities in the dark web, did not reveal recent discussions or sales offers related to the DMSniff POS malware. However, we did find some brief references, indicating this malware is not new and was in use by hackers since at least 2015. For instance, we found a member of a closed English forum offering the malware for sale in late 2015, for US$ 5,000.
An English forum member offers DMSniff POS for sale in October 2015. Source: Verint Dark Alert
Another mention of DMSniff POS dating from that time, was found published on two Russian- language forums as a module of the infamous Gazavat (also known as Sality) banking Trojan, designed for interception of “dumps,” i.e. credit card information.
DMSniff is advertised as a module of the Gazavat banking Trojan in October 2015. Source: Verint Dark Alert
 https://www.flashpoint-intel.com/blog/dmsniff-pos-malware-actively-leveraged-target-medium-sized-businesses/, https://exchange.xforce.ibmcloud.com/collection/DMSniff-Point-of-Sale-Malware-1f932b4e627237f15f459d97d8ef27ef