New Backoff Point-of-Sale Malware RAM Scraper

The U.S. Department of Homeland Security report that cyber criminlas using remote desktop applications to deploy the point-of-sale (PoS) Backoff malware to steal consumer payment data, including credit and debit card information, from businesses that use remote desktop applications.

According US-CERT cyber criminals using remote desktop tools like ;

  • Microsoft’s Remote Desktop
  • Apple Remote Desktop
  • Chrome Remote Desktop
  • Splashtop 2
  • Pulseway
  • LogMEIn
  • Join.Me

Cyber criminlas with Brutforce attacks and remote desktop ttttools access to systems and easily install the Backoff maleware RAM scapers and exfiltrate consumer payment data via an encrypted POST request or attract payment information from the memory at the time of transfers.

Why cybercriminals target at POS system?

Description Accrding US-CERT

“Backoff” is a family of PoS malware and has been discovered recently. The malware family has been witnessed on at least three separate forensic investigations. Researchers have identified three primary variants to the “Backoff” malware including 1.4, 1.55 (“backoff”, “goo”, “MAY”, “net”), and 1.56 (“LAST”).

These variations have been seen as far back as October 2013 and continue to operate as of July 2014. In total, the malware typically consists of the following four capabilities. An exception is the earliest witnessed variant (1.4) which does not include keylogging functionality. Additionally, 1.55 ‘net’ removed the explorer.exe injection component:

  • Scraping memory for track data
  • Logging keystrokes
  • Command & control (C2) communication
  • Injecting malicious stub into explorer.exe

The malicious stub that is injected into explorer.exe is responsible for persistence in the event the malicious executable crashes or is forcefully stopped. The malware is responsible for scraping memory from running processes on the victim machine and searching for track data. Keylogging functionality is also present in most recent variants of “Backoff”. Additionally, the malware has a C2 component that is responsible for uploading discovered data, updating the malware, downloading/executing further malware, and uninstalling the malware.