Video Screencast Help
Protect Your POS Environment Against Retail Data Breaches. Learn More.
Security Response

Trojan Backoff: A new point-of-sale threat emerges

Created: 25 Aug 2014 18:21:25 GMT • Updated: 26 Aug 2014 10:09:40 GMT • Translations available: 日本語, Español
Symantec Security Response's picture
0 0 Votes
Login to vote

Trojan Backoff 1.png

A recently discovered point-of-sale (PoS) threat known as Trojan.Backoff has affected more than 1,000 US businesses and is capable of stealing credit and debit card information from infected terminals. The threat posed by Backoff has prompted the US Department of Homeland Security to issue an advisory, encouraging all organizations, regardless of size, to check their equipment for PoS malware infections.

The warning follows an earlier bulletin from US-CERT on July 31, which said that seven PoS system providers and vendors had confirmed that they have had multiple clients affected by the malware. After receiving further information on compromised locations, the Secret Service now estimates that over 1,000 US businesses have been affected and the infections involved private sector entities of all sizes. At least two recently reported retail security breaches are believed to have been caused by Backoff infections.

Homeland Security said Backoff was first detected in October 2013 but was not recognized by antivirus software solutions until August 2014. Symantec created the detection for Backoff on August 1. Prior to the creation of this detection, samples of the malware had been detected by other Symantec signatures since October 2013, i.e. samples weren’t specifically detected as Backoff prior to August 1, 2014.

Symantec telemetry indicates that the majority of infections occurred in the US and Canada, with a smaller number of infections occurring in the UK and Poland.

Indicators of compromise

Symantec is aware of eight distinct variants of Backoff, including one identified as recently as July 31. Variations to the threat occured in the path of the malware, registry entries, registry values, and the command-and-control (C&C) servers contacted. Due to ongoing investigations, we cannot publish details on C&C servers or any URLs that the attackers are using.

Symantec has detected samples of Backoff with the following MD5 file hashes:

  • 01f0d20a1a32e535b950428f5b5d6e72
  • 05f2c7675ff5cda1bee6a168bdbecac0
  • 0607ce9793eea0a42819957528d92b02
  • 0ca02ff545ecc2ca90f21d5475313c66
  • 12c9c0bc18fdf98189457a9d112eebfc
  • 17e1173f6fc7e920405f8dbde8c9ecac
  • 30c5592a133137a84f61898993e513db
  • 337058dca8e6cbcb0bc02a85c823a003
  • 38e8ed887e725339615b28e60f3271e4
  • 3ff0f444ef4196f2a47a16eeec506e93
  • 4956cf9ddd905ac3258f9605cf85332b
  • 5cdc9d5998635e2b91c0324465c6018f
  • 684e03daaffa02ffecd6c7747ffa030e
  • 6a0e49c5e332df3af78823ca4a655ae8
  • 821ac2580843cb0c0f4baff57db8962e
  • 842e903b955e134ae281d09a467e420a
  • 874cd0b7b22ae1521fd0a7d405d6fa12
  • 8a019351b0b145ee3abe097922f0d4f6
  • 97fa64dfaa27d4b236e4a76417ab51c1
  • aa68ecf6f097ffb01c981f09a21aef32
  • b08d4847c370f79af006d113b3d8f6cf
  • b1661862db623e05a2694c483dce6e91
  • bbe534abcc0a907f3c18cfe207a5dfca
  • c0d0b7ffaec38de642bf6ff6971f4f9e
  • c61442478ca3686cfe6bbf9289425bca
  • cc640ad87befba89b440edca9ae5d235
  • d0c74483f20c608a0a89c5ba05c2197f
  • d0f3bf7abbe65b91434905b6955203fe
  • d1d544dbf6b3867d758a5e7e7c3554bf
  • ea0c354f61ba0d88a422721caefad394
  • f5b4786c28ccf43e569cb21a6122a97e
  • fc041bda43a3067a0836dca2e6093c25
  • ffe53fb9280bf3a8ceb366997488486e

When executed, Trojan.Backoff may create some of the following registry entries so that it runs when Windows starts:

  • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\"Windows NT Service"=”%UserProfile%\Application Data\AdobeFlashPlayer\mswinhost.exe”
  • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\"Windows NT Service”=” “%UserProfile%\Application Data \AdobeFlashPlayer\mswinsvc.exe”
  • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\"Windows NT Service”= “%UserProfile%\Application Data\ OracleJava\javaw.exe”
  • HKEY_LOCAL_MACHINE\software\Microsoft\Windows\CurrentVersion\Run\"Windows NT Service”= “%UserProfile%\Application Data\ OracleJava\javaw.exe”

It may also create the following registry entry:

  • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\"identifier"=”[7 RANDOM CHARACTERS]”

The random characters are created using the number of milliseconds since the computer started as the seed for the random character generation. The strings may look like the following examples:

  • “QxgarTc”
  • “VsOGixC”

Backoff will copy itself to one of the following locations:

  • %UserProfile%\Application Data\AdobeFlashPlayer\mswinsvc.exe
  • %UserProfile%\Application Data\OracleJava\javaw.exe
  • C:\Documents and Settings\All Users\Application Data\OracleJava\javaw.exe

The malware will usually install a single file on the victim’s computer. The file name will be in the following format:

“C:\Documents and Settings\All Users\Application Data\[12 RANDOM CHARACTERS]”

Again, as with registry values, the random characters are created using the number of milliseconds since the computer started as the seed for the random character generation.

In some instances the threat will also install additional files. Additional file names logged to date are:

  • %Temp%\TsGSQyhhweBf.exe
  • %UserProfile%\Application Data\AdobeFlashPlayer\Log.txt
  • %UserProfile%\Application Data\AdobeFlashPlayer\Log.txt
  • %UserProfile%\Application Data\AdobeFlashPlayer\Log.txt.bku
  • %UserProfile%\Application Data\AdobeFlashPlayer\Log.txt.bku

Further reading

You can read more about PoS malware attacks in our blog: Demystifying Point of Sale Malware and Attacks.

Symantec protection

Symantec has the following detections in place for the malware used in these attacks:

AV

Trojan.Backoff

Trojan.Backoff!gm 

IPS

System Infected: Trojan.Backoff Activity