Skip to content ↓ | Skip to navigation ↓

Today, the U.S. Computer Emergency Readiness Team (US-CERT) released an advisory warning retailers of the discovery of malicious point-of-sale malware targeting businesses using various remote desktop applications.

The sophisticated malware, named “Backoff,” was found capable of stealthily surpassing detection of most types of anti-virus software.

“At the time of discovery and analysis, the malware variants had low to zero percent anti-virus detection rates, which means that fully updated anti-virus engines on fully patched computers could not identify the malware as malicious,” US-CERT reported.

The notice stated recent investigations revealed hackers used a variety of remote desktop applications to brute force the login feature, including:

  • Microsoft Remote Desktop
  • Apple Remote Desktop
  • Chrome Remote Desktop
  • Splashtop 2
  • Pulseway
  • LogMEIn Join.Me

“Backoff” is a family PoS malware seen in at least three separate forensic investigations dating as far back as October of 2013 and continuing to operate today.

Researchers found that the malware typically consisted of scraping memory for track data, keylogging, command and control (C2) communication and injecting malicious stub into explorer.exe, among other variants.

The advisory also warned of the potential impact for both businesses and consumers by exposing customer names, mailing addresses, credit/debit card numbers, phone numbers, and email addresses.

Tripwire security researcher Ken Westin commented, “Criminal syndicates are increasingly targeting U.S. retailers, because they are easy targets and it is profitable. Retailers can look forward to more sophisticated tools, more aggressive techniques and more successful intrusions from these groups as they become more organized and resourced.”

The US-CERT team urges retailers to implement the necessary cautionary actions, “It is critical to safeguard your corporate networks and web servers to prevent any unnecessary exposure to compromise or to mitigate any damage that could be occurring now.”

Tripwire’s Vulnerability and Exposure Research Team (VERT) recommends the presence of these remote desktop tools should be identified and regularly monitored, as well as ensuring that strong passwords and/or two-factor authentication are enabled.

Software security solutions, such as Tripwire IP360 and SecureScan, are designed to detect various remote desktop applications, including Microsoft Remote Desktop, Apple Remote Desktop (within VNC/RFB), Dameware MiniRemote Control and pcAnywhere.

Read the full advisory here.