Researchers with EMC’s RSA Security Division have pulled back the covers from the Backoff malware in a new report.
The Backoff malware made a big splash in the world of cybercrime in 2014, emerging as one of the most notorious pieces of point-of-sale malware in the wild. In August, the U.S. Secret Service linked it to compromises at 1,000 U.S. businesses. It was also linked to attacks on Diary Queen and the United Parcel Service (UPS).
The report offers details of the malware’s command and control infrastructure and how it operates. But perhaps more notably, offers some indication the attacker or attackers controlling the malware may be in India.
“While monitoring the main server of the Backoff Operation, we detected a few requests from someone accessing the C&C control panel,” according to the RSA report. “Tracing the IP address of the request led to a hosting server in the Netherlands, but at the same instance, his browser revealed the local time zone of his machine GMT+0530, which is unique for India Standard Time.”
In addition, while searching for additional Backoff samples, RSA encountered a sample in the VirusTotal site that wasn’t packed. When the researchers looked at the ‘Submissions’ tab, the binary was found to have come from India and its name was originally ‘output.exe’ “as if it was freshly created and output from the compiler,” the report notes.
“The goal of Backoff is to identify and steal credit card and transaction data through traditional memory scraping mechanisms also seen in other POS malware such as Alina, BlackPOS and Dexter,” blogged Jason Rader, director of cyber threat intelligence for RSA. “As usual, the malware uploads collected data to a hardcoded C2 that can also command the malware to update itself or download and install other malware.”
In October, security firm Damballa reported that detections of Backoff jumped 57 percent from August to September. During the month of September alone, Backoff infections increased 27 percent.
According to RSA, most of the Backoff infections are in the United States.
“Almost every business or store has security camera surveillance since many business owners, managers wish to monitor their business and their workers, and of course, they want to be able to do so remotely,” according to the RSA report. “Evidently and certainly not accidently, a fairly large number of the infected IP addresses had cam surveillance services exposed. Our assumption is that the fraudsters figured out that the combination of RDP service and cam surveillance service both exposed to the internet provides a fairly logical indication of a possible business, and therefore a proper target.”
RSA also noted in the report that in addition to brute force attacks on RDP (remote desktop protocol) services, attackers have likely used additional techniques such as guessing default passwords for routers and cam surveillance control panels, and using known exploits against these services.
“The impact of a compromised POS system can affect both the businesses and consumers by exposing customer data such as names, mailing addresses, credit/debit card numbers, phone numbers, and email addresses to criminal elements,” according to the RSA report. “These breaches can impact the business brand and reputation, while consumer information can be used to make fraudulent purchases and potentially compromise customer bank accounts. It’s critical to safeguard your corporate networks and web servers to prevent any unnecessary exposure to compromise and to mitigate any damage that could be occurring now.”
