GlitchPOS, the new point-of-sale malware actively spreading in the wild.


The SonicWall Capture Labs Threat Research Team observed reports of a new variant POS family named GlitchPOS Detected as GAV: GlitchPOS.A actively spreading in the wild.

GlitchPOS is a fake cat game which is embedded in the malware and not displayed at the time of execution. GlitchPOS typically has the capability such as scraping memory to retrieve Credit Card Data during its scan.

Contents of GlitchPOS Malware


Infection Cycle:

The Malware adds the following files to the system:

  • %Userprofile%Application Data\SearchIndexer.exe [Detected as GAV: GlitchPOS.A (Trojan)]]
  • %Userprofile%Local Settings\Temp\x.vbs

The Malware adds the following file to the startup folder to ensure persistence upon reboot:

  • %Userprofile%Start Menu\Programs\Startup\SearchIndexer.lnk

Once the computer is compromised, the malware creates a new process to maintain persistence and then launches a component to monitor for sensitive payment card data.

GlitchPOS retrieves a list of running processes; the malware is responsible for scraping the memory of current processes on the infected machine for credit card information periodically.

GlitchPOS has an exclusion list that functions to ignore certain system processes; it gathers track data by scanning the memory of all running processes except for the following List:

Once it locates payment card data, GlitchPOS makes one HTTP request to determine the infected system’s external IP address.  GlitchPOS generates a random identifier for the target machine and sends to the C&C server.

GlitchPOS uses a basic encryption and Hex encoding method to obfuscate various strings such as the shellcode, filenames, and process names to evade detection.

Once the public IP is acquired, GlitchPOS tries to verify Credit Cards numbers and then sends track 1 and track 2 credit card data in encrypted format.

GlitchPOS tries to Enumerate Credit Card data from POS Software using the Luhn algorithm and then encrypts and sent to one of the given C&C Servers.

Here is an example of Track data:

Command and Control (C&C) Traffic

GlitchPOS performs C&C communication over port 80. Requests are made on a regular basis to statically defined domains such as:

SonicWall Capture Labs provides protection against this threat via the following signature:

  • GAV: GlitchPOS.A (Trojan)



Security News
The SonicWall Capture Labs Threat Research Team gathers, analyzes and vets cross-vector threat information from the SonicWall Capture Threat network, consisting of global devices and resources, including more than 1 million security sensors in nearly 200 countries and territories. The research team identifies, analyzes, and mitigates critical vulnerabilities and malware daily through in-depth research, which drives protection for all SonicWall customers. In addition to safeguarding networks globally, the research team supports the larger threat intelligence community by releasing weekly deep technical analyses of the most critical threats to small businesses, providing critical knowledge that defenders need to protect their networks.