Skip to content ↓ | Skip to navigation ↓

A new variant of the point-of-sale malware Backoff was recently discovered by researchers, who warned its modifications make the malicious program now even harder to detect and analyze.

Security firm Fortinet disclosed the findings in a blog post, stating Backoff and its variants continue to be an active threat to businesses.

“During the installation phase, Backoff drops a copy of itself on the infected machine and creates a number of autorun registry entries to ensure persistence,” said AntiVirus Analyst Hong Kei Chan.

“This latest version is no different, but instead of disguising itself as a Java component as with previous versions, it pretends to be a media player with the file name mplayerc.exe.”

Apart from ROM’s capability to scrape memory from point-of-sale devices, the malware author has added two extra features. According to Chan, the latest version is now also capable of hashing the names of the blacklist processes, and storing the stolen credit card information on the local system.

Additionally, the new variant has modified its components of the C&C communication to further avoid detection by communicating with the C&C server through port 443 and encrypting the traffic.

Researchers noted the new version no longer supports keylogging, yet expect the “essential” feature to be reintroduced in a later version.

The Department of Homeland security issued an advisory in August reporting nearly 1,000 businesses had been affected by Backoff, including Dairy Queen, UPS Stores, Supervalu and Target.

Although the malware family was recently discovered in late July, various forensic investigations revealed the malicious program may have been active as early as October 2013.

“This is a great example of the Spy vs. Spy game,” said Lamar Bailey, director of Tripwire’s Vulnerability and Exposure Research Team (VERT). “When a piece of malware or virus is detected and security vendors releases detection, protection and removal code, the hackers work on evasions to get past the security products.”

It’s not uncommon for this process to go back and forth for long periods, added Bailey, stating, “I expect to see hundreds, if not thousands, of variants for Backoff over the next few years because having malware on a PoS system continues to have very high value for the attackers.”

Users are urged to follow the solutions outlined by US-CERT and maintain AV systems up-to-date to stay protected against malware attacks.

Read More Here…