Last week, the US Computer Emergency Readiness Team (US-CERT) reported about a newly discovered malware, dubbed “Backoff”, which targets point-of-sale (PoS) systems. Similar to other PoS malware such as Dexter and Scraper, Backoff is also used to steal financial information for malicious purposes.
Based on our analysis, when Backoff is executed, it copies itself into %Application Data%\OracleJava\javaw.exe and launches the copy in %Application Data% with parameter -m <path_to_original_backoff>. This will terminate the original Backoff process and delete the initial copy of itself. We have seen the same installation technique used in the Alina family of PoS RAM-scraping malware. More details of its routines can be found in the US-CERT article. This entry, however, focuses on the scope and breadth of its infection.
We analyzed Backoff and discovered that it has multiple versions, ranging from 1.4 to 1.55. The 1.55 build has multiple versions as well, differentiated by nicknames such as “backoff”, “goo” and “MAY.” The “goo” version connects to three malicious domains that we cannot disclose just yet as we are still looking into them.
Checking with our internal data, we also saw that these domains communicated a lot with the affected IP addresses, with the first two domains getting hits from the US. The first domain alone has had more than 46,000 hits since June 14, 2014. Interestingly, we found less hits from June 28 to July 25, with only 52 unique IPs.
Figure 1. Number of hits on the malicious domain #1
The second domain, meanwhile, scored more than 59,000 hits since April 26, 2014, with the same decline in the number of hits from May 8 to June 2, with only 60 unique IPs this time.
Figure 2. Number of hits on the malicious domain #2
We also noticed an interesting pattern when we changed the time frame to one-week increments.
Figure 3. Decreasing pattern in the number of hits. Pattern is similar for both domains.
We saw a clear decrease in the hits during “dead hours”, specifically at 2:00 AM. The hits went back up at 10:00 AM. This follows typical business operating hours wherein PoS devices are in active use — the number of hits rises as business operating hours begin and drops as businesses close for the day. Looking at the week-by-week statistics, the last week of July alone registered more than 10,000 hits.
US as Top Target
What does this all mean, then? For one, it cements the fact that Backoff is a very active and persistent threat that has already infected a lot of point-of-sale devices. Based on our Smart Protection Network data, the top country that accessed the malicious domains is the United States. Clearly, the US market is a favored target for those behind Backoff. As such, we recommend that businesses in the US have their PoS devices analyzed and secured.
Figure 4. Heat map of malicious communications found in affected US states
PoS malware could be one of the many constants in life that we would have to deal with, like social engineering scams and mobile malware. Cybercriminals obviously see this as profitable, which was exemplified in data breach incidents in the retail industry in 2013. An old vulnerability residing in PoS systems was exploited in order to carry the said attacks, which resulted in the loss of credit and debit card information of at least 40 million customers. Also, cybercriminals have begun to cut middlemen out, as some are actually mass-manufacturing pre-compromised PoS devices. We need to stop viewing PoS devices as mere tools or gadgets but as systems that also require tight security.
Trend Micro protects users via its Smart Protection Network that blocks all malicious domains and detects this PoS malware as:
- TSPY_POSLOGR.A (version 1.55 also known as “goo”, “may”, “net”, etc.)
- TSPY_POSLOGR.B (version 1.4)
- TSPY_POSLOGR.C (known as “backoff”)
Below are the hashes of the malicious files discussed in this entry:
For more details about PoS malware in general, check out our whitepaper, Point-of-Sale System Breaches: Threats to the Retail and Hospitality Industries.