Incident Response, Malware, TDR

New variants of POS malware ‘Backoff’ found as infections expand

A security firm that worked with the government to identify point-of-sale (POS) malware, called “Backoff,” has detected two new variants of the threat.

On Monday, Karl Sigler, threat intelligence manager at Trustwave told SCMagazine.com that Backoff has grown to encompass variants similar to “LAST,” or version 1.56, the latest version of the threat.

Uncovered in late July, the malware scrapes memory from running processes on targeted devices and has been planted on retailers' POS systems so criminals can pilfer consumers' card data. The new Backoff variants, dubbed “Wed” and version “1.57” were discovered in the wild within the “past couple of weeks,” Sigler said.

“The variants seem to be very similar to LAST, so any existing detections [for the malware] should work just fine,” Sigler added.

The variant LAST was noted as injecting malicious stub into explorer.exe, so that Backoff could maintain persistence on affected devices if the executable crashes or is “forcefully stopped,” Trustwave revealed in an overview of the malware. LAST also includes support for multiple domain configurations, and uses modified code to create exfiltration threads for stealing card data, Trustwave said.

The news comes soon after the Department of Homeland Security (DHS) released an advisory Friday, which was first publicized by The New York Times, revealing that over 1,000 U.S. businesses have been infected with the malware. It is believed that Backoff may have been responsible for breaches impacting Target, as well as those more recently disclosed by UPS and SUPERVALU.

“Reporting continues on additional compromised locations, involving private sector entities of all sizes, and the Secret Service currently estimates that over 1,000 U.S. businesses are affected,” the advisory said.

The tally of victims grew from nearly 600 businesses that were said to be impacted in late July by the U.S. Computer Emergency Readiness Team (US-CERT). To date, DHS said that seven POS vendors had confirmed that they “had multiple clients affected” by Backoff.

Last week, a New Orleans restaurant Mizado Cocina revealed that its POS devices had been compromised by Backoff malware, an incident that may have impacted roughly 8,000 customers who used payment cards at the establishment between May 9 and July 18.

In its alert, DHS said that Backoff has likely struck many more businesses which are still unaware of compromise.

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.