Backoff PoS malware becomes stealthier, more difficult to analyze

Waterfall Security: Trust issues with your firewalls? Eliminating vulnerabilities that accompany firewalls is a click away.

The Backoff Point-of-Sale RAM scraper malware has become even more difficult to detect and analyze, warns Fortinet researcher Hong Kei Chan.

Even after the US DHS and US CERT warned about the hard-to-spot malware back in August, and a number of breaches were found to be executed by criminals wielding it, Backoff infections are still on the rise.

Fortinet researchers have recently managed to get their hands on a new Backoff variant that shows that its authors haven’t been idle. This version also does not have a version number, but has been given the name Backoff ROM.

Compared to the older versions, Backoff ROM disguises itself as as a media player (mplayerc.exe) instead of a Java component in the autorun registry entries.

“In addition, unlike previous versions where the CopyFileA API is called to drop a copy of itself, ROM calls the WinExec API,” the researcher explained. “To hinder the analysis process, the malware author utilizes a very common technique by replacing API names with the hashed values, and a custom hashing function is called to look up the API name with the equivalent hash value.”

ROM also uses a hashed blacklist of processes that it’s meant to ignore (29 in total).

The scraped payment card data is now stored in encrypted form on the device, in a file named Locale.dat. Before contacting its C&C server, ROM will first check if the file in question can be found. If it’s there, it will be decrypted and included in the POST request sent to the server via port 443.

Traffic between the malware and the C&C server is also encrypted, and the way the server responds with new commands for the malware has been simplified.

It’s also interesting to note that, for whatever reason, this new Backoff version does not have keylogging capabilities. But, the researchers believe that this is only a temporary change that will be reversed in newer versions.

In fact, as they have found an even newer version of the malware only a few days ago, the change might already have been made.