by RSS Hong Kei Chan  |  Aug 07, 2014  |  Filed in: Security Research

On July 31, 2014, the United States Computer Emergency Readiness Team (US-CERT) published an advisory of a newly identified point-of-sale (PoS) malware dubbed “Backoff”. This family of PoS malware consists of three versions: 1.44, 1.55, and the most recent 1.56. Backoff variants began to have version names starting from version 1.55 (which used the names backoff, goo, MAY, and net); version 1.56 used the variant name LAST.

In this blog post, we will briefly look at an overview of the Backoff malware before discussing the unique memory-parsing techniques and command-and-control (C&C) communication of its latest version LAST.

Overview

The Backoff PoS malware performs a number of malicious functions:

  • 1.) Drops a copy of itself to %AppData%\OracleJava\javaw.exe.
  • 2.) Creates a mutex named nUndsa8301nskal to make sure that only one instance of itself is running.
  • 3.) Creates the following registry keys:
           a. HKCU\Software\Microsoft\Windows\CurrentVersion\Run
                   Windows NT Service = %AppData%\OracleJava\javaw.exe
          b. HKLM\Software\Microsoft\Windows\CurrentVersion\Run
                   Windows NT Service = %AppData%\OracleJava\javaw.exe
          c. HKCU\Software\Microsoft\Active Setup\Installed Components\{B3DB0D62-B481-4929-888B-49F426C1A136}
                   StubPath = %AppData%\OracleJava\javaw.exe
          d. HKLM\Software\Microsoft\Active Setup\Installed Components\{B3DB0D62-B481-4929-888B-49F426C1A136}
                   StubPath = %AppData%\OracleJava\javaw.exe
  • 4.) Creates three threads:
          a. Memory Parser
                This thread searches the memory pages of running processes for credit card information.
                This will be discussed more in the next section.
          b. C&C Communicator
                This thread is responsible for all communications with the malware’s C&C server. This will also be discussed more
                 below.
          c. Keylogger
                This thread logs the user’s keystrokes to
                 %AppData%\OracleJava\Log.txt.
  • 5.) Injects malicious codes into explorer.exe. These codes contain the malware’s persistence technique to ensure that
          the malware is restored if its process is ever killed or its file is deleted.
          a. Prior to injection, an RC4-encoded image of the malware is dropped to
                 %AppData%\nsskrnl.
          b. If explorer.exe detects that the malware is no longer running,
                 %AppData%\nsskrnl will be decrypted and written to
                 %AppData%\winserv.exe, and then executed.


Memory Parser

In this blog post, we will spare the details of explaining the entire mechanics of the memory-parsing process and just dive straight into Backoff's techniques for credit card extraction. Like most other PoS malware, Backoff contains a hardcoded list of seventeen processes to be ignored by the malware. The following are these processes:

  • explorer.exe
  • lsass.exe
  • spoolsv.exe
  • mysqld.exe
  • services.exe
  • wmiprvse.exe
  • LogonUI.ee
  • taskhost.exe
  • wuauclt.exe
  • smss.exe
  • csrss.exe
  • winlogon.exe
  • alg.exe
  • iexplore.exe
  • firefox.exe
  • chrome.exe
  • devenv.exe

VirtualQueryEx is called to retrieve the information of the pages of the target’s virtual address space, where the page protection attribute PAGE_READWRITE is checked before the page is dumped using ReadProcessMemory. The dumped page will then be parsed to extract any credit card information.

Extracting Credit Card Information

Backoff has the ability to parse for Track 1 and Track 2 data. The malware authors have implemented the Luhn algorithm to check the validity of the Primary Account Number (PAN). In this section, we will discuss more about the unique features of Backoff's custom pattern matching algorithm.

In comparison to other families of PoS malware, Backoff’s custom algorithm is more sophisticated and has a number of sanity checks. In particular, unlike the other PoS malware encountered so far, Backoff also checks the Expiration date and the Service Code.

As shown in the figure below, the algorithm searches the memory page for the field separator ‘^’ or ‘=’ before checking the first and second digits of the PAN.

A Title

Using this first check, we know that the malware author is targeting all credit cards that either begin with ‘5’, or has ‘3’ as the second digit of the PAN.

The following are other conditions for track data that must be met:

  • 1.) The PAN must be sixteen digits in length.
  • 2.) The PAN must pass the Luhn algorithm check.
  • 3.) For Track 1data, the Card Holder’s name must be capitalized.
  • 4.) The expiration date must meet the conditions in the following formulas (Y1 and Y2 are the first and second digits of the year, and M1 and M2 are the first and second digits of the month):


A Title

  • 5.) The second and third digits of the Service Code must be ‘01’.


C&C Communication

The infected machine communicates with the C&C server using the standard HTTP protocol. A POST request is sent to one of the C&C server URLs that are hardcoded in the malware body. This POST request allows new infected machines to register themselves and grab the latest C&C command.

The contents of the HTTP field-value pairs are described below:

Query String: Field NameQuery String: Field Body
op  Hardcoded value of ‘1’
id  Seven-character string (randomly generated)
ui [User logon name] @ [Computer name]
wv Microsoft Windows version
gr Malware version name
bv  Malware version number
data RC4+Base64-encoded stolen credit card information or keylogged data


The figure below shows an example of credit card information being exfiltrated to the C&C server.

A Title

As mentioned in the table above, the stolen credit card data is RC4 and Base64-encoded. The RC4 key is generated using two of the query string fields (id and ui) and the hardcoded string “jhgtsd7fjmytkr”.

In the TCP Stream example above, the randomly generated seven-character string “PzvhwoI” (the field value of id) was generated by the malware and stored in the registry entry:

      HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\identifier

This string is retrieved and concatenated with the hardcoded string “jhgtsd7fjmytkr” and with the string “bot @ FTNT” (the field value of ui) before being hashed with an MD5 algorithm to produce the final RC4 encryption key.

     PZvhwoIjhgtsd7fjmytkrbot @ FTNT -> 988217ED4BE9b0E7f5D935B879B9EC6E

C&C Server Commands

The response from the C&C server can be one of six commands:

  • 1.) “Update”: download and run the latest version.
         a. Parses the response for the URL where the new update is to be downloaded from.
         b. Downloads the file to %Temp%\[Random name].exe.
         c. Deletes the following registry entry:
                    HKCU\Software\Microsoft\Windows\CurrentVersion\Run
                         Windows NT Service = %AppData%\OracleJava\javaw.exe
          d. Terminates the running remote thread in explorer.exe.
          e. Releases the mutex.
          f. Executes the newly downloaded version.
  • 2.) “Terminate” : terminate the running remote thread in explorer.exe.
  • 3.) “Uninstall”
          a. Removes all files associated with Backoff.
          b. Deletes the following registry entry:
                    HKCU\Software\Microsoft\Windows\CurrentVersion\Run
                          Windows NT Service = %AppData%\OracleJava\javaw.exe
  • 4.) “Download and Run” : download new malware and execute it.
          a. Parses the response for the URL where the malware is to be downloaded from.
          b. Downloads the file to %Temp%\[Random name].exe.
          c. Executes the downloaded malware.
  • 5.) “Upload Keylogs” : upload keylogged data.
          a. Appends ‘.bku’ to the keylogger file ‘Log.txt’.
          b. RC4 and Base64-encodes the keylogged data and sends it to the C&C server.
  • 6.)“Thanks!” : idle command from the C&C server.


Conclusion

This blog has briefly outlined the installation and unique attributes of the latest version of the Backoff PoS malware. We have described the memory-scraping and credit card extraction techniques along with the communication between the C&C server and the infected machines. To better protect yourself and your business, we suggest following the strategies found on the US-CERT website, and keeping your antivirus software up to date with the latest security updates.

by RSS Hong Kei Chan  |  Aug 07, 2014  |  Filed in: Security Research