A new and upgraded variant of the Backoff malware, also known as ROM, has been detected by security experts recently.
Researchers with Fortinet reported that the new version of the point of sale malware is almost the same as the previous one. Security products detect ROM as W32/Backoff.B!tr.spy. The body of ROM does not contain a version number.
The New Backoff Malware – What’s Different?
What’s new is the ability to avoid detection and block the process of analysis. Rom does not hide as a Java component anymore; instead it disguises as a media player – mplaterc.exe. As soon as the malware copies itself to the targeted computer, it calls on an API, WinExec. To avoid the process of analysis, the API takes over names with hashed values.
Fortinet analysts report that ROM is capable of extracting Track 1 and Track 2 information from PoS terminals, just like Backoff. The malware ignores predetermined processes from being analyzed and uses a list of hashed values when it compares the process name against its hard coded blacklist. ROM can also store data from stolen credit cards. The information is encrypted with two hard-coded strings on the system. The researchers say that ROM communicates with the C&C server over port 443, which is also encrypted. This makes the process of detection quite difficult.
Initially detected in August, the malware possesses the following traits:
- Data theft
- Memory scraping
- Exfiltration
- Injection
- Keylogging
Oddly enough, the last feature is not to be found in ROM.
Reportedly, over 400 locations were hit by Backoff in the past month, extorting users’ names, credit card numbers and expiration dates. Back in August, researchers with Kaspersky Lab reported over 1000 infections in the USA alone.