Backoff was used in the UPS breach, BlackPOS was used in the breach of Target, and FrameworkPOS was used in the attack on Home Depot.
Backoff was used in the UPS breach, BlackPOS was used in the breach of Target, and FrameworkPOS was used in the attack on Home Depot.

Security firm Cyphort released a report on Tuesday that provides an in-depth analysis of point-of-sale (POS) malware – specifically Backoff, BlackPOS and FrameworkPOS – used in some of the biggest breaches in recent time.

Backoff was used in the UPS breach and is built for a serious attack on any POS system, with scaled and long-term operations in mind, Dr. Fengmin Gong, cofounder and chief architect of Cyphort, told SCMagazine.com in a Tuesday email correspondence.

“[Backoff is a] full featured malware, starting with a runtime packer to frustrate static (signature) detection, it takes care to minimize artifacts left on the infiltrated system, with self-updating design and robust persistence, using encryption for its image on the disk, it includes attack payload [such as] keylogger in addition to memory scraping, a command-and-control featuring multiple servers and full set of commands,” Gong said.

BlackPOS was used in the breach of Target and is relatively unsophisticated, Gong said, explaining it has a rigid design for targeted POS system attacks, and uses memory scraping to harvest data with a fixed exfiltration mechanism. FrameworkPOS, which was used in the attack on Home Depot, is a copycat adaptation of BlackPOS with little innovation, Gong said.

Currently, Cyphort Labs does not have any data on who is behind these threats.

“We believe that FrameworkPOS is closely related to BlackPOS as it's a simple [copycat],” Gong said. “Backoff is likely now actively used and maintained by multiple groups. We suspect that they are used (shared or sold) as an SDK in the underground, because we have seen new samples in the wild suggesting small tweaks with different versions and group designations.”

In order to defend against these types of threats, retailers and other organizations need to start monitoring their POS system and subnet with a product that is able to provide visibility on all file movement in and out of the POS infrastructure, Gong said, adding it is critical that the product is able to detect evasive behaviors.

Attackers have a long history of profiting from stolen payment card information through fraudulent purchases, selling dumps in underground marketplaces and more, Gong said. In the future, POS malware will likely incorporate new armoring techniques, and may evolve so that memory scraping is no longer necessary for harvesting card data, Gong added.

“EMV is helpful in curbing the assault from the current POS malware that uses memory scraping to harvest card information from the POS machine,” Gong said, explaining attackers may change their strategy as a result.

“We have to start watching all points where malware can sneak in or take our data out; we have to be prepared to catch them at any and all the steps, when they try to [come in] using a vulnerability exploit, or a spear-phishing email, or try to send the stash out; we have to use all methods at our disposal, because they will try to evade us whichever way they can.”