Backoff: New Point Of Sale Malware (August 06,2014)
The Dell Sonicwall Threats Research team observed reports of a new POS bot family named Backoff versions 1.55 and 1.56 actively spreading in the wild. This is the second instance of an infostealer bot family that features popular Point-of-Sale Trojan Dexter like memory scrapping functionality. These variations have been seen as far back as October 2013 and continue to operate as of July 2014. Backoff malware typically has the capabilities such as scraping memory, injecting into explorer.exe and key logging functionality.
Infection Cycle:
The Trojan adds the following file to the file system:
- %APPDATA% OracleJava javaw.exe [Detected as GAV: Backoff.A (Trojan)]
- %APPDATA% OracleJava Log.txt [Logging keystrokes]
The Trojan adds the following key to the Windows registry to ensure persistence upon reboot:
- HKEY_CURRENT_USERSoftwareMicrosoftWindowsCurrentVersionRun Windows NT Service “%APPDATA% OracleJava javaw.exe”
It will inject Import Address Table ( IAT Modification) of its own functions (1.55 “goo”)
KeyLogger:
Backoff has the Key logger function, it uses GetKeyState and GetKeyboardState to capture the pressed keys on target system and it’s logging all keys into following file:
- %APPDATA% OracleJava Log.txt
The malware uses GetForegroundWindow and GetWindowTextA to retrieve non-ASCII keys such as following list:
POS Memory Scraping:
The malware retrieve all processes lists and save it on its own memory, one of the injected malicious code threads is responsible for scraping the memory of active non-system processes on the infected machine for credit card information periodically. Backoff tries to enumerate Credit Card data from POS Software. For this process, attackers use API functions calls such as:
- CreateToolhelp32Snapshot
- Process32First
- Process32Next
- OpenProcess
- ReadProcessMemory
The stolen information is then relayed back to the Command & Control server. Backoff (1.55 “goo”) uses some filtering memory scraping against some process in the following list:
- explorer.exe
- lsass.exe
- spoolsv.exe
- mysqld.exe
- services.exe
- wmiprvse.exe
- LogonUI.exe
- taskhost.exe
- wuauclt.exe
- smss.exe
- csrss.exe
- winlogon.exe
- alg.exe
- iexplore.exe
- firefox.exe
- chrome.exe
- devenv.exe
Command and Control communication
During our analysis we saw that the following communication between the infected machine and the C2 server (1.55 “backoff” and 1.55 “goo”):
The ‘id’ parameter is stored in the following registry Key:
Backoff has the “data” code which is Base64 encoded/RC4 decrypted Card data; here is an example of encrypted card data which is scraped by malware.
Backoff Variants on the Wild
Backoof has the six variants such as following:
- Backoff 1.4
- 1.55 “backoff”
- 1.55 “goo”
- 1.55 “MAY”
- 1.55 “net”
- 1.56 “LAST”
Backoff 1.4
MD5: 927AE15DBF549BD60EDCDEAFB49B829E
Install Path: %APPDATA%AdobeFlashPlayermswinsvc.exe
Dropped Files:
- %APPDATA%mskrnl
- %APPDATA%winserv.exe
- %APPDATA%AdobeFlashPlayermswinsvc.exe
Registry Keys:
- HKCUSOFTWAREMicrosoftWindowsCurrentVersionidentifier
- HKCU SOFTWARE MicrosoftWindowsCurrentVersionRunWindows NT Service
HTTP POST Request:
- User-Agent: Mozilla/4.0
- URI(s): /aircanada/dark.php
- Static String on POST Request: zXqW9JdWLM4urgjRkX
1.55 “backoff”
MD5: F5B4786C28CCF43E569CB21A6122A97E
Install Path: %APPDATA%AdobeFlashPlayermswinhost.exe
Dropped Files:
- %APPDATA%mskrnl
- %APPDATA%winserv.exe
- %APPDATA%AdobeFlashPlayermswinhost.exe
- %APPDATA%AdobeFlashPlayerLog.txt
Registry Keys:
- HKCUSOFTWAREMicrosoftWindowsCurrentVersionidentifier
- HKCU SOFTWARE MicrosoftWindowsCurrentVersionRunWindows NT Service
HTTP POST Request:
- User-Agent: Mozilla/5.0 (Windows NT 6.1; rv:24.0) Gecko/20100101 Firefox/24.0
- URI(s): /aero2/fly.php
- Static String on POST Request: ihasd3jasdhkas
1.55 “goo”
MD5: 17E1173F6FC7E920405F8DBDE8C9ECAC
Install Path: %APPDATA%OracleJavajavaw.exe
Dropped Files:
- %APPDATA%nsskrnl
- %APPDATA%winserv.exe
- %APPDATA%OracleJavajavaw.exe
- %APPDATA%OracleJavaLog.txt
Registry Keys:
- HKCUSOFTWAREMicrosoftWindowsCurrentVersionidentifier
- HKCU SOFTWARE MicrosoftWindowsCurrentVersionRunWindows NT Service
HTTP POST Request:
- URI(s): /windows/updcheck.php
- Static String on POST Request: jhgtsd7fjmytkr
1.55 “MAY”
MD5: 21E61EB9F5C1E1226F9D69CBFD1BF61B
Install Path: %APPDATA%OracleJavajavaw.exe
Dropped Files:
- %APPDATA%nsskrnl
- %APPDATA%winserv.exe
- %APPDATA%OracleJavajavaw.exe
- %APPDATA%OracleJavaLog.txt
Registry Keys:
- HKCUSOFTWAREMicrosoftWindowsCurrentVersionidentifier
- HKCU SOFTWARE MicrosoftWindowsCurrentVersionRunWindows NT Service
HTTP POST Request:
- URI(s): /windowsxp/updcheck.php
- Static String on POST Request: jhgtsd7fjmytkr
1.55 “net”
MD5: 0607CE9793EEA0A42819957528D92B02
Install Path: %APPDATA%AdobeFlashPlayermswinhost.exe
Dropped Files:
- %APPDATA%AdobeFlashPlayermswinhost.exe
- %APPDATA%AdobeFlashPlayerLog.txt
Registry Keys:
- HKCUSOFTWAREMicrosoftWindowsCurrentVersionidentifier
- HKCU SOFTWARE MicrosoftWindowsCurrentVersionRunWindows NT Service
HTTP POST Request:
- URI(s): /windowsxp/updcheck.php
- Static String on POST Request: ihasd3jasdhkas9
1.56 “LAST”
MD5: 12C9C0BC18FDF98189457A9D112EEBFC
Install Path: %APPDATA%OracleJavajavaw.exe
Dropped Files:
- %APPDATA%nsskrnl
- %APPDATA%winserv.exe
- %APPDATA%OracleJavajavaw.exe
- %APPDATA%OracleJavaLog.txt
Registry Keys:
- HKCUSOFTWAREMicrosoftWindowsCurrentVersionidentifier
- HKCU SOFTWARE MicrosoftWindowsCurrentVersionRunWindows NT Service
- HKLM SOFTWARE MicrosoftWindowsCurrentVersionRunWindows NT Service
- HKCUSOFTWARE\MicrosoftActive SetupInstalled Components{B3DB0D62-B481-4929-888B-49F426C1A136}StubPath
- HKLMSOFTWARE\MicrosoftActive SetupInstalled Components{B3DB0D62-B481-4929-888B-49F426C1A136}StubPath
HTTP POST Request:
- User-Agent: Mozilla/5.0 (Windows NT 6.1; rv:24.0) Gecko/20100101 Firefox/24.0
- URI(s): /windebug/updcheck.php
- Static String on POST Request: jhgtsd7fjmytkr
SonicWALL Gateway AntiVirus provides protection against this threat via the following signatures:
- GAV: Backoff.A (Trojan)
- GAV: Backoff.A_2 (Trojan)
