20140822-Backoff

Backoff malware widespread

07/31/2014 US-CERT ALERT

United States Computer Emergency Response Team advisory prepared an alert in collaboration with the National Cybersecurity and Communications Integration Center (NCCIC), United States Secret Service (USSS), Financial Sector Information Sharing and Analysis Center (FS-ISAC), and Trustwave Spiderlabs, a trusted partner under contract with the USSS.

Overview
The alert is to provide relevant and actionable technical indicators for defense against the Point-Of-Sale (POS) malware dubbed “Backoff” which has been exploiting administrator accounts remotely and exporting consumer payment data over the past year. The Secret Service currently estimates that over 1,000 U.S. businesses are affected.

Crooks are using publicly available tools to find businesses using remote desktop applications. Remote desktop solutions like Microsoft’s Remote Desktop, Apple Remote Desktop, Chrome Remote Desktop, Splashtop 2, and LogMeIn. Once these applications are located, the crooks gain access to accounts (often with administrator or other privileged access accounts). With those privileged accounts they then deployed the POS malware, collected then exported confidential consumer payment data.

Description
Backoff is a group of malicious programs, plus variants, found on at least three separate forensic investigations. Some variants were seen in October 2013. The group typically consists of the following four capabilities:

Scraping memory for track data
Logging keystrokes (not included in variant 1.4)
Command & control (C2) communication
Injecting malicious stub into explorer.exe (not included in variant 1.55)

The infected explorer.exe provides for re-infection if the malicious program fails or is removed intentionally. On the victim machine the malware scrapes memory from running processes while searching for charge card track data. The C2 component transmits discovered data, updates the malware, downloading/executing updated or adding additional malware.

8 Points

 
Backoff Has Been Active Since October 2013
Although the U.S. government issued a public advisory in July, it turns out the Backoff has been active since October 2013.

Impact is large
Initially, 600 businesses were thought to be at risk from Backoff, but that number has been revised upward to “at least” 1,000, according to US-CERT Alert TA14-212A

Backoff Targets Windows POS
Trustwave’s Karl Sigler notes that Backoff works against any Microsoft Windows-based POS system.

Remote Desktop Software Is the Point of Entry
In most cases, the initial breach into a retailer’s POS system is via Remote Desktop Protocol (RDP) access.

Java Is an Indicator of Compromise
Sigler explained that in some cases, when the Backoff malware lands on a system, it is installed to an Oracle Java directory with an executable name of javaw.exe. He added that most POS systems typically don’t need to have Java.

Magnetic Stripe Credit Card Data Is Easily Stolen
A capability of Backoff is its ability to grabs customer credit card data from magnetic stripe card swipes.

Backoff Has Keylogging Features
In addition to capturing swipe data Backoff’s keylogging can capture manually entered card information and customer supplied personal identification numbers (PINs) and passwords.

Backoff phones home
An system infected with Backoff can communicate stolen data back to a command and control host.

Adapted from eWeek

Return to 2014 details page
Year links page
Return to References page