14 DAY TRIAL // Although recently discovered and analyzed, the Backoff malware for payment systems has been unveiled to have at least eight variants.
The differences observed by security researchers relate to the installation path, registry entries and values, as well as the command and control (C&C) severs contacted for instructions.
An analysis from Symantec shows that the malware strains create multiple registry entries, all designed to launch the threat when the computer starts.
A sign of Backoff infection is also the presence of a file in the Application Data folder, its name consisting of a set of 12 random characters, generated based on the amount of milliseconds elapsed since the start of the computer. An entry in Windows Registry for this file may also be added.
Backoff was first signaled by the US CERT (Computer Emergency Readiness Team) on July 31, which informed that the new PoS malware had been operating since at least October 2013, largely undetected by antivirus products, with low to zero chances of getting caught.
Since October last year until proper detection was created on August 1, Symantec says that their products picked up the threat through other malware signatures.
According to the security company’s telemetry data, most of the infections were recorded in the United States and Canada, but Backoff has also been observed on systems located in the UK and Poland.
It is unclear if the existence of multiple variants means that more than one operator is responsible for the recent wave of infections affecting businesses in the US.
Last week, UPS shipment service announced that Backoff had been collecting credit and debit card information from payment systems in 51 of its locations between January 20 and August 11, 2014. The company was alerted by a government bulletin about the threat.
Another business, Mizado Cocina restaurant, also notified its customers that the same threat lurked on its payment systems and exfiltrated financial data of about 8,000 individuals between May 9 and July 18, 2014.
A recent advisory from the Department of Homeland Security (DHS) informs that more than 1,000 businesses have been impacted, seven PoS providers/vendors having confirmed that their clients reported network intrusions connected to Backoff.
Backoff reaches the affected device through brute force attacks on the login feature of remote desktop software products. These are detected by running wide scans for the remote desktop protocol.
The technique used for extracting financial information is called memory (RAM) scraping and consists in analyzing the RAM of the compromised system for card track data.
“Attackers relied on insecure networks that could be penetrated through brute force attacks via remote desktop applications. Once in, the Backoff malware, which was invisible to antivirus products, could start burying itself into the system and wait for the next card swipe into the PoS computer,” said Jerome Segura of Malwarebytes via email.
“In addition to keeping their PoS systems updated and running security solutions such as antivirus and anti-malware, companies need to review their remote access policies, segregate their networks and have network traffic tools to detect potential data exfiltration,” he recommends.
Joe Schumacher, senior security consultant at Neohapsis Labs agrees with Segura as far as network segregation is concerned and says that isolating networks or including secure layers between trusted and untrusted environments is a good proactive approach in securing the business.