A few months have passed since the release of the “Backoff” point-of-sale (PoS) malware advisory, but Backoff and other PoS malware continue to be an active threat as businesses keep reporting data breaches and the compromise of their customers’ financial information.
We have recently encountered a new version of the Backoff malware family, which we are detecting as W32/Backoff.B!tr.spy. Unlike previous versions, this one no longer uses a version number in the malware body, but just uses the version name ROM. ROM performs very similarly to Backoff’s previous versions, but modifications have been made to make analysis more difficult and to avoid detection.
In this blog post, we will describe the changes made in this newest version of the Backoff malware family.
During the installation phase, Backoff drops a copy of itself on the infected machine and creates a number of autorun registry entries to ensure persistence. This latest version is no different, but instead of disguising itself as a Java component as with previous versions, it pretends to be a media player with the file name mplayerc.exe.
In addition, unlike previous versions where the CopyFileA API is called to drop a copy of itself, ROM calls the WinExec API. The command line used is shown in the following figure.
To hinder the analysis process, the malware author utilizes a very common technique by replacing API names with the hashed values, and a custom hashing function is called to look up the API name with the equivalent hash value.
ROM’s credit card extracting functionality is still very much the same, with its ability to parse for both Track 1 and Track 2 data. In this version, however, the malware author has added two extra features: (1) hashing the names of the blacklist processes, and (2) storing the stolen credit card information on the local system.
Like the previous version, ROM ignores certain processes from being parsed, but instead of simply comparing the process name against its hardcoded blacklist in plaintext, it now uses a table of hashed values.
The blacklist hash table is as follows:
Along with the processes identified in the above figure, ROM has a total of 29 processes in its blacklist. Some additional hashes are listed below:
- 0x0BF1 : Explorer
- 0x310A : Svchost
- 0x0125 : System
- 0x3434 : Alg
- 0x0CC6 : Smss
- 0x352E : Csrss
- 0x0CED : Winlogon
- 0x0388 : Devenv
- 0x0364 : Services
- 0x3F26 : Lsass
- 0x3F85 : Wuauclt
- 0x3616 : Spoolsv
The second addition to ROM’s memory parser is the storage of the encrypted stolen credit card information to the file %AppData%\Media Player Classic\Locale.dat. The figure below shows the encryption routine: a simple XOR operation with 0x2E.
Before checking in with the command-and-control (C&C) server, ROM will first check if Locale.dat can be found. If so, it first decrypts this file and includes it in the POST request.
Modifications have been made to components of the C&C communication to avoid detection. ROM communicates with the C&C server over port 443, encrypting the traffic which makes detection more difficult.
The field names of the query string have also been changed, and the contents of some of the fields have additional Base64 encoding. The table below reflects the changes made to the POST request.
The stolen credit card data is still encoded with RC4 and Base64, but the algorithm for generating the RC4 key has been slightly modified. Previously, the RC4 key was produced from three components: (1) a randomly generated seven-character string, (2) a hardcoded string, and (3) the user logon name and computer name (e.g. “bot @ FTNT”) that were concatenated and then hashed with an MD5 algorithm.
Example: PZvhwoIjhgtsd7fjmytkrbot @ FTNT -> 988217ED4BE9b0E7f5D935B879B9EC6E
In the new version, there is a slight modification in the concatenated strings. In the figure below, we can see that the bot now concatenates four components: (1) a hardcoded string, (2) the randomly generated seven-character string, (3) another hardcoded string, and (4) the user logon name and computer name.
The MD5 hash of the concatenated string is then generated using the CryptHashData API call and converted to lowercase before becoming the RC4 key that is used to encrypt the stolen credit card information.
C&C Server Commands
In addition to the modification to the POST request, the response from the C&C server has also been modified. Previously, the C&C server could respond with one of the six commands: ‘Update’, ‘Terminate’, ‘Uninstall’, ‘Download and Run’, ‘Upload Keylogs’, and ‘Thanks!’.
ROM has removed the strings associated with each command, and instead checks for a response of a single byte. The table below reflects this change.
As noted in the previous section, the ‘Upload Keylogs’ command is no longer valid. This is because this new version of the Backoff malware no longer supports keylogging. As this was an essential feature of the Backoff malware, we suspect that it may be reintroduced in a later version.
This blog has outlined the differences of the latest version of the Backoff PoS malware, ROM. The functions of ROM are very similar to the version preceding it, but modifications have been made by the malware author for evading detection and hindering the analysis process.
In order to be protected from this malware, we recommend that users follow the solutions outlined in the US-CERT website, which includes continuously maintaining your antivirus software with the latest security updates.
Update: We have recently found a newer version of Backoff on October 28, 2014. We are currently analyzing the sample, and will report on the modifications and new features soon.