Security Experts:

New Version of Backoff PoS Malware Appears: Fortinet

Researchers at Fortinet said they have encountered a new version of the notorious Backoff malware targeting point-of-sale systems.

Backoff has been at the center of much of the data breach news this year. In August, the U.S. Secret Service estimated more than 1,000 businesses in the country had been infected.

According to Fortinet, unlike previous versions, the latest edition no longer uses a version number in the malware body. Instead, it uses the version name ROM. While it works very similarly to previous versions, changes have been made to make analysis and detection more difficult.

"During the installation phase," blogged Fortinet's Hong Kei Chan, "Backoff drops a copy of itself on the infected machine and creates a number of autorun registry entries to ensure persistence. This latest version is no different, but instead of disguising itself as a Java component as with previous versions, it pretends to be a media player with the file name mplayerc.exe."

"In addition, unlike previous versions where the CopyFileA API is called to drop a copy of itself, ROM calls the WinExec API," the researcher continued. "The command line used is shown in the following figure. To hinder the analysis process, the malware author utilizes a very common technique by replacing API names with the hashed values, and a custom hashing function is called to look up the API name with the equivalent hash value."

The malware's functionality for stealing credit card data is still very much the same and has the ability to parse for both Track 1 and Track 2 data. In this version however, the malware has two additional features: hashing the names of the blacklist processes and storing the stolen credit card information on the local system, the researcher noted.

Changes have also been made to components of the command-and-control (C&C) communication to avoid detection. The malware communicates with the C&C server via port 443, encrypting the traffic and making detection more difficult. The field names of the query string have also been changed, and the contents of some of the fields have additional Base64 encoding.  

"The stolen credit card data is still encoded with RC4 and Base64, but the algorithm for generating the RC4 key has been slightly modified," the researcher wrote. "Previously, the RC4 key was produced from three components: (1) a randomly generated seven-character string, (2) a hardcoded string, and (3) the user logon name and computer name (e.g. “bot @ FTNT”) that were concatenated and then hashed with an MD5 algorithm. In the new version, there is a slight modification in the concatenated strings."

The new version also no longer supports keylogging.

"The functions of ROM are very similar to the version preceding it, but modifications have been made by the malware author for evading detection and hindering the analysis process," the researcher noted.

view counter