Home > Cyber News > Backoff Point-of-Sale Malware with a New Version

Backoff Point-of-Sale Malware with a New Version

Backoff Point-of-Sale Malware with a New VersionA new and upgraded variant of the Backoff malware, also known as ROM, has been detected by security experts recently.
Researchers with Fortinet reported that the new version of the point of sale malware is almost the same as the previous one. Security products detect ROM as W32/Backoff.B!tr.spy. The body of ROM does not contain a version number.

The New Backoff Malware – What’s Different?

What’s new is the ability to avoid detection and block the process of analysis. Rom does not hide as a Java component anymore; instead it disguises as a media player – mplaterc.exe. As soon as the malware copies itself to the targeted computer, it calls on an API, WinExec. To avoid the process of analysis, the API takes over names with hashed values.

Fortinet analysts report that ROM is capable of extracting Track 1 and Track 2 information from PoS terminals, just like Backoff. The malware ignores predetermined processes from being analyzed and uses a list of hashed values when it compares the process name against its hard coded blacklist. ROM can also store data from stolen credit cards. The information is encrypted with two hard-coded strings on the system. The researchers say that ROM communicates with the C&C server over port 443, which is also encrypted. This makes the process of detection quite difficult.

Initially detected in August, the malware possesses the following traits:

  • Data theft
  • Memory scraping
  • Exfiltration
  • Injection
  • Keylogging

Oddly enough, the last feature is not to be found in ROM.

Reportedly, over 400 locations were hit by Backoff in the past month, extorting users’ names, credit card numbers and expiration dates. Back in August, researchers with Kaspersky Lab reported over 1000 infections in the USA alone.


Berta Bilbao

Berta is a dedicated malware researcher, dreaming for a more secure cyber space. Her fascination with IT security began a few years ago when a malware locked her out of her own computer.

More Posts

Leave a Comment

Your email address will not be published. Required fields are marked *

Share on Facebook Share
Share on Twitter Tweet
Share on Google Plus Share
Share on Linkedin Share
Share on Digg Share
Share on Reddit Share
Share on Stumbleupon Share