A new breed of point-of-sale malware has been found in several recent attacks, and experts say that the tool, known as Backoff, has extensive data stealing and exfiltration capabilities, including keylogging, memory scraping and injection into running processes.
The Backoff malware doesn’t necessarily make use of any new techniques or employ innovative infection methods, but researchers at Trustwave SpiderLabs and US-CERT, who have analyzed the malware, say that it’s a serious threat. Attackers have been using the Backoff malware as the second stage of campaigns that begin with locating and then brute-forcing the credentials for remote desktop applications, often for an administrator account. Once that’s accomplished, the attackers then look for PoS devices and install the Backoff malware if possible.
Once installed on a PoS device, the malware injects a small piece of malicious code into the explorer.exe process. It has the ability to scrape memory from running processes to gather payment card track data, log keystrokes and communicate with a remote command-and-control infrastructure.
“The malicious stub that is injected into explorer.exe is responsible for persistence in the event the malicious executable crashes or is forcefully stopped. The malware is responsible for scraping memory from running processes on the victim machine and searching for track data. Keylogging functionality is also present in most recent variants of ‘Backoff’. Additionally, the malware has a C2 component that is responsible for uploading discovered data, updating the malware, downloading/executing further malware, and uninstalling the malware,” the advisory from US-CERT says.
There are several known variants of the Backoff malware, with slightly different functionality, and researchers say the first known samples were identified in October 2013. The C&C communications are done via HTTP POST requests to domains that are hardcoded into the malware. Data sent to the C&C servers is encrypted.
“Data is encrypted using RC4 prior to being encoded with Base64. The password for RC4 is generated from the ‘id’ parameter, a static string of ‘jhgtsd7fjmytkr’, and the ‘ui’ parameter. These values are concatenated together and then hashed using the MD5 algorithm to form the RC4 password. In the above example, the RC4 password would be ’56E15A1B3CB7116CAB0268AC8A2CD943 (The MD5 hash of ‘vxeyHkSjhgtsd7fjmytkrJosh @ PC123456),” the technical analysis by Josh Grunzweig of SpiderLabs says.
PoS malware isn’t a new phenomenon, but it’s an effective one. Experts say that such malware was used as part of the Target data breach last year and the researchers at SpiderLabs said they’ve seen Backoff in a number of compromise investigations recently.