US-CERT Warns of New Backoff Malware

The Department of Homeland Security’s U.S. Computer Emergency Readiness Team (US-CERT), in collaboration with Trustwave SpiderLabs, FS-ISAC and the U.S. Secret Service, recently issued an alert warning of new malware called Backoff, which specifically targets point-of-sale (PoS) systems.

According to the US-CERT advisory, attackers are launching brute force attacks to log into remote desktop solutions like Microsoft Remote Desktop, Apple Remote Desktop, Chrome Remote Desktop, Splashtop, Pulseway and — and are then using those solutions to infect PoS systems with Backoff malware.

The malware was first seen in operation in October 2013. “At the time of discovery and analysis, the malware variants had low to zero percent anti-virus detection rates, which means that fully updated anti-virus engines on fully patched computers could not identify the malware as malicious,” the advisory states.

Once installed, Backoff scrapes memory for track data, logs keystrokes, communicates with a command and control server to upload stolen data and download additional malware, and injects a malicious stub into explorer.exe. The malicious stub is responsible for persistence if the malware crashes or is stopped.

“The Backoff point-of-sale malware has has multiple components which aren’t overly sophisticated, but it does try to hide itself on affected systems and also maintain persistence if the machine was restarted,” Malwarebytes senior security researcher Jerome Segura noted by email.

“The impact of a compromised PoS system can affect both the businesses and consumer by exposing customer data such as names, mailing addresses, credit/debit card numbers, phone numbers, and e-mail addresses to criminal elements,” the US-CERT alert states.

Trustwave threat intelligence manager Karl Sigler told SC Magazine that the Backoff malware has already been leveraged to compromise almost 600 businesses across the U.S.

According to the New York Times, the malware was behind several recent high-profile breaches, including those at Target, P.F. Chang’s, Neiman Marcus, Sally Beauty Supply and Goodwill Industries.

An extensive list of recommended actions for risk mitigation, from requiring two-factor authentication for remote desktop access to segregating payment processing networks from other networks, is available here.

Neohapsis security consultant Joe Schumacher said by email that organizations seeking to limit the risk of compromise by Backoff malware should educate employees and provide an approved method for remote access. “Companies should also perform network scans to see if systems have specific ports enabled to provide the remote access services, then follow up to turn off the service,” he said.

“If a small organization must rely on a third party for remote access services, then trust within the industry should be examined, along with security features that can be enabled for protection,” Schumacher added.

Jeff Goldman
Jeff Goldman has been a technology journalist for more than 20 years and an eSecurity Planet contributor since 2009.

Top Products

Related articles