New Variant of Backoff Malware Tougher to Detect

The new Backoff variant ROM has tweaks that help the malware better evade detection and hinder the analysis process.

A new and more fine-tuned version of the Backoff point of sale malware known as ROM has been spotted in the wild, according to researchers.

While the latest iteration is similar to the preceding version, ROM has tweaks that help the malware better evade detection and hinder the analysis process, according to Fortinet, which described it in depth in a blog post on Monday.

ROM, whose technical detection term is W32/Backoff.B!tr.spy, doesn’t use a version number in the malware body.

Also, unlike previous Backoff versions, ROM doesn’t disguise itself as a Java component, but instead, a media player under the name mplaterc.exe. After copying itself to the infected machine it calls on an API, WinExec. The API replaces names with hashed values in order to thwart analysis process.

Hong Kei Chan, a junior antivirus analyst with the firm said that like Backoff, ROM can extract Track 1 and Track 2 data from PoS terminals, and that it has a sophisticated approach when it comes to parsing that information.

“Like the previous version, ROM ignores certain processes from being parsed, but instead of simply comparing the process name against its hardcoded blacklist in plaintext, it now uses a table of hashed values,” Chan wrote.

In addition to hashing the blacklist processes, the malware also stores the stolen card information, which is encrypted with not one but two hard-coded strings, locally on the system. The new malware has also been spotted communicating with its command and control server over an encrypted port 443, something that Chan points out makes detection much more difficult.

Dairy Queen announced that Backoff hit nearly 400 of its locations just last month and that it was able to wrest away customers’ payment card numbers, expiration dates and customer names. When researchers at Kaspersky Lab sinkholed two of the malware’s C&C servers in August, and estimated that there were more than 1,000 infections in the U.S., they claimed their findings painted a “very bleak picture of the state of point-of-sale security.”

Initially dug up in August by Trustwave the malware has a handful of traits, including data theft, exfiltration, memory scraping, injection and something that’s oddly absent from ROM, keylogging.

Suggested articles

Cyberattackers Put the Pedal to the Medal: Podcast

Fortinet’s Derek Manky discusses the exponential increase in the speed that attackers weaponize fresh vulnerabilities, where botnets and offensive automation fit in, and the ramifications for security teams.