Incident Response, Malware, TDR

New version of Backoff detected, malware variant dubbed ‘ROM’

Researchers have discovered a new variant of point-of-sale malware Backoff, which has picked up a number of new tricks to make it harder for analysts to analyze and detect.

Fortinet detailed the new findings in a Monday blog post authored by researcher Hong Kei Chan.

Backoff – malware that was confirmed to be on the systems of Dairy Queen last month, and which may have been responsible for breaches impacting Target and SUPERVALU – is estimated to have infected over 1,000 U.S. businesses, the Secret Service has said. An increase in Backoff infections this year also prompted the Payment Card Industry Security Standards Council (PCI SSC) to publish a bulletin urging merchants to contact their AV provider and ensure their software detects the malware.

Uncovered in late July, Backoff scrapes memory from running processes on targeted devices, and has therefore been planted on retailers' POS systems by criminals desiring to pilfer consumer card data.

According to Fortinet's Chan, the latest variant of Backoff, dubbed “ROM” (and detected as W32/Backoff.B!tr.spy), disguises itself as a media player file during installation.

“Backoff drops a copy of itself on the infected machine and creates a number of autorun registry entries to ensure persistence,” Chan said. “This latest version is no different, but instead of disguising itself as a Java component as with previous versions, it pretends to be a media player with the file name mplayerc.exe.”

The new variant ROM is also able to parse Track 1 and Track 2 card data as previous Backoff versions have, but has been updated to hash the names of the blacklist processes and store stolen credit card data on the local system, Chan wrote.In order to skirt detection, the ROM variant also communicates with its control hub (command-and-control server) over port 443 and encrypts traffic, he added.

“The stolen credit card data is still encoded with RC4 and Base64, but the algorithm for generating the RC4 key has been slightly modified,” Chan continued. 

“In the new version, there is a slight modification in the concatenated strings. In the figure…we can see that the bot now concatenates four components: (1) a hardcoded string, (2) the randomly generated seven-character string, (3) another hardcoded string, and (4) the user logon name and computer name," he explained.

Chan also noted that ROM does not support keylogging, a feature present is previous Backoff variants. Since keylogging is an “essential feature" of Backoff, however, researchers believe the malware author may “reintroduce” the capability in a later variant, he said.

Back in August, security firm Trustwave detected two Backoff variants, dubbed “Wed” and version “1.5,” which worked similar to an earlier version of the malware called “LAST.”

LAST was noted as injecting malicious stub into explorer.exe, so that Backoff could maintain persistence on affected devices if the executable crashes or is “forcefully stopped,” Trustwave said at the time. LAST also included support for multiple domain configurations, and uses modified code to create exfiltration threads for stealing card data, the firm shared.

As has been the standard recommendation, Fortinet advised users to look to US-CERT for Backoff defense strategies and steps, and to keep their AV updated as the number of variants continues to grow.

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.