14 DAY TRIAL // An advisory published by the US CERT (Computer Emergency Response Team) warns of a new malware family with low to zero antivirus detection that exfiltrates payment information from PoS systems.
The malware has been called “Backoff” and it has been observed in multiple forensic investigations, with three main variations operating since at least October 2013; CERT notes that the threat persists as of July 2014.
In order to plant the malware on the PoS systems, threat actors would first locate the presence of remote desktop applications by scanning for the remote desktop protocol and then deploy a brute-force attack to log in.
CERT’s advisory has been prepared in cooperation with the Secret Service and researchers at Trustwave Spiderlabs, who provided a detailed technical analysis of the threat.
Security researchers say that when launched, the latest variant of Backoff seeks to remove all previous versions of itself, and the associated files and processes are terminated.
The financial information is extracted from the affected PoS system through memory scraping, which consists in analyzing the system memory for specific information (in this case track data).
Apart from having this function, Backoff also integrates a keystroke logging component, communication with a remote command and control (C&C) server, and the possibility to inject a malicious stub into explorer.exe, for persistency (added in the latest version).
Communication with the C&C server is not just for uploading information from the affected system, but also for updating the malware to a new version, uninstall action or for downloading and executing other malicious files.
Through Backoff, threat actors can get access to various data that would allow them to clone customer cards and use them to empty their bank accounts.
CERT notes that “the time this advisory is released, the variants of the ‘Backoff’ malware family are largely undetected by anti-virus (AV) vendors. However, shortly following the publication of this technical analysis, AV companies will quickly begin detecting the existing variants.”
Josh Grunzweig of Trustwave’s SpiderLabs says that none of the techniques used by the malware are revolutionary, but this does not make it any less of a threat.
Jerome Segura of Malwarebytes agrees to both common techniques used to steal the data and the damage that can be done. “The Backoff Point-of-Sale malware has multiple components which aren't overly sophisticated but it does try to hide itself on affected systems and also maintain persistence if the machine was restarted,” he said via email.
Lowering the risk of compromise in the case of this malware can be achieved through educating the employees and adopting “an approved method for remote access,” believes Neohapsis security consultant Joe Schumacher.