• Trend Micro
  • About TrendLabs Security Intelligence Blog
Search:
  • Home
  • Categories
    • Ransomware
    • Vulnerabilities
    • Exploits
    • Targeted Attacks
    • Deep Web
    • Mobile
    • Internet of Things
    • Malware
    • Bad Sites
    • Spam
    • Botnets
    • Social
    • Open source
Home   »   Malware   »   New PoS Malware “Backoff” Targets US

New PoS Malware “Backoff” Targets US

  • Posted on:August 6, 2014 at 4:05 am
  • Posted in:Malware
  • Author:
    Trend Micro
0

Last week, the US Computer Emergency Readiness Team (US-CERT) reported about a newly discovered malware, dubbed “Backoff”, which targets point-of-sale (PoS) systems. Similar to other PoS malware such as Dexter and Scraper, Backoff is also used to steal financial information for malicious purposes.

Based on our analysis, when Backoff is executed, it copies itself into %Application Data%\OracleJava\javaw.exe and launches the copy in %Application Data% with parameter -m <path_to_original_backoff>.  This will terminate the original Backoff process and delete the initial copy of itself. We have seen the same installation technique used in the Alina family of PoS RAM-scraping malware. More details of its routines can be found in the US-CERT article. This entry, however, focuses on the scope and breadth of its infection.

We analyzed Backoff and discovered that it has multiple versions, ranging from 1.4 to 1.55. The 1.55 build has multiple versions as well, differentiated by nicknames such as “backoff”, “goo” and “MAY.” The “goo” version connects to three malicious domains that we cannot disclose just yet as we are still looking into them.

Connection Patterns

Checking with our internal data, we also saw that these domains communicated a lot with the affected IP addresses, with the first two domains getting hits from the US. The first domain alone has had more than 46,000 hits since June 14, 2014. Interestingly, we found less hits from June 28 to July 25, with only 52 unique IPs.

backoff_pos1

Figure 1. Number of hits on the malicious domain #1

The second domain, meanwhile, scored more than 59,000 hits since April 26, 2014, with the same decline in the number of hits from May 8 to June 2, with only 60 unique IPs this time.

backoff_pos2

Figure 2. Number of hits on the malicious domain #2

We also noticed an interesting pattern when we changed the time frame to one-week increments.

backoff_pos3

Figure 3. Decreasing pattern in the number of hits. Pattern is similar for both domains.

We saw a clear decrease in the hits during “dead hours”, specifically at 2:00 AM. The hits went back up at 10:00 AM. This follows typical business operating hours wherein PoS devices are in active use — the number of hits rises as business operating hours begin and drops as businesses close for the day. Looking at the week-by-week statistics, the last week of July alone registered more than 10,000 hits.

US as Top Target

What does this all mean, then? For one, it cements the fact that Backoff is a very active and persistent threat that has already infected a lot of point-of-sale devices. Based on our Smart Protection Network data, the top country that accessed the malicious domains is the United States. Clearly, the US market is a favored target for those behind Backoff. As such, we recommend that businesses in the US have their PoS devices analyzed and secured.

heatmap3

Figure 4. Heat map of malicious communications found in affected US states

PoS malware could be one of the many constants in life that we would have to deal with, like social engineering scams and mobile malware. Cybercriminals obviously see this as profitable, which was exemplified in data breach incidents in the retail industry in 2013. An old vulnerability residing in PoS systems was exploited in order to carry the said attacks, which resulted in the loss of credit and debit card information of at least 40 million customers. Also, cybercriminals have begun to cut middlemen out, as some are actually mass-manufacturing pre-compromised PoS devices. We need to stop viewing PoS devices as mere tools or gadgets but as systems that also require tight security.

Trend Micro protects users via its Smart Protection Network that blocks all malicious domains and detects this PoS malware as:

  • TSPY_POSLOGR.A (version 1.55 also known as “goo”, “may”, “net”, etc.)
  • TSPY_POSLOGR.B (version 1.4)
  • TSPY_POSLOGR.C (known as “backoff”)

Below are the hashes of the malicious files discussed in this entry:

  • 0607CE9793EEA0A42819957528D92B02
  • 12C9C0BC18FDF98189457A9D112EEBFC
  • 17E1173F6FC7E920405F8DBDE8C9ECAC
  • 21E61EB9F5C1E1226F9D69CBFD1BF61B
  • 927AE15DBF549BD60EDCDEAFB49B829E
  • F5B4786C28CCF43E569CB21A6122A97E

For more details about PoS malware in general, check out our whitepaper, Point-of-Sale System Breaches:  Threats to the Retail and Hospitality Industries.

Learn how to protect Enterprises, Small Businesses, and Home Users from ransomware:
ENTERPRISE »
SMALL BUSINESS»
HOME»
Tags: AlinaBackoffDexterPOS malwareUnited States

Security Predictions for 2020

  • Cybersecurity in 2020 will be viewed through many lenses — from differing attacker motivations and cybercriminal arsenal to technological developments and global threat intelligence — only so defenders can keep up with the broad range of threats.
    Read our security predictions for 2020.

Business Process Compromise

  • Attackers are starting to invest in long-term operations that target specific processes enterprises rely on. They scout for vulnerable practices, susceptible systems and operational loopholes that they can leverage or abuse. To learn more, read our Security 101: Business Process Compromise.

Recent Posts

  • Our New Blog
  • How Unsecure gRPC Implementations Can Compromise APIs, Applications
  • XCSSET Mac Malware: Infects Xcode Projects, Performs UXSS Attack on Safari, Other Browsers, Leverages Zero-day Exploits
  • August Patch Tuesday Fixes Critical IE, Important Windows Vulnerabilities Exploited in the Wild
  • Water Nue Phishing Campaign Targets C-Suite’s Office 365 Accounts

Popular Posts

Sorry. No data so far.

Stay Updated

  • Home and Home Office
  • |
  • For Business
  • |
  • Security Intelligence
  • |
  • About Trend Micro
  • Asia Pacific Region (APAC): Australia / New Zealand, 中国, 日本, 대한민국, 台灣
  • Latin America Region (LAR): Brasil, México
  • North America Region (NABU): United States, Canada
  • Europe, Middle East, & Africa Region (EMEA): France, Deutschland / Österreich / Schweiz, Italia, Россия, España, United Kingdom / Ireland
  • Privacy Statement
  • Legal Policies
  • Copyright © Trend Micro Incorporated. All rights reserved.