by RSS Hong Kei Chan  |  Nov 06, 2014  |  Filed in: Security Research

On October 28, 2014, we encountered an even newer version of the Backoff point-of-sale (PoS) malware which we are detecting as W32/Backoff.C!tr.spy. This newest version, with version name 211G1, was compiled close to a month after its predecessor ROM. Functionality-wise, 211G1 is very similar to ROM. An in-depth description of ROM can be found in our previous post.

In this blog post, we will describe the modifications made in the newest version of the Backoff PoS malware family.


Firstly, 211G1 is now packed with a custom packer; the image will be mapped back to its original base address before continuing its execution. Like the API hashing function and the blacklist process name hashing function described in the previous post, using a custom packer is yet another attempt to hinder the analysis process.

As mentioned in the previous post, ROM disguises itself as a media player with the file name mplayer.exe. In the latest 211G1 version, the dropped file is still in the user’s Application Data folder, but the folder and the file name is randomly selected from a list. The list of possible folder and file names are shown in the following figure.


Persistence Technique

In our initial post on the Backoff PoS family, we outlined the persistence technique used to ensure that Backoff’s execution is restored in the event that the process is never killed or the application is deleted.

In that persistence technique, malicious code would be injected into explorer.exe to monitor the malware and an encrypted image of the malware would be dropped on the local system under the name %AppData%\nsskrnl, or %AppData%\settings.ini, in the case of the ROM version.

In 211G1, the malware authors have replaced the Windows Explorer injection with the spawning of a new instance of the malware. The malware now calls CreateProcessA with the command line shown in the following figure.


This newly spawned instance of 211G1 is responsible for monitoring the parent process. A combination of OpenProcess and WaitForSingleObject API calls are used to detect the termination of the parent process which will start the restoration of the malware. The code snippet for this functionality is shown in the following figure.



This blog post has described the updates made to the Backoff PoS malware, ROM. We are observing that the malware authors are continuing to modify their malware binaries in their efforts to bypass detection, and to hinder the analysis process.

We recommend that users continue to maintain updated anti-virus software to better protect themselves from ongoing threats.

by RSS Hong Kei Chan  |  Nov 06, 2014  |  Filed in: Security Research