National Cyber Awareness System: TA14-212A: Backoff Point-of-Sale Malware [ https://us-cert.gov/ncas/alerts/TA14-212A ] 07/31/2014 07:30 AM EDT Original release date: July 31, 2014 | Last revised: August 22, 2014 Systems Affected Point-of-Sale Systems Overview This advisory was prepared in collaboration with the National Cybersecurity and Communications Integration Center (NCCIC), United States Secret Service (USSS), Financial Sector Information Sharing and Analysis Center (FS-ISAC), and Trustwave Spiderlabs, a trusted partner under contract with the USSS. The purpose of this release is to provide relevant and actionable technical indicators for network defense against the PoS malware dubbed Backoff which has been discovered exploiting businesses administrator accounts remotely and exfiltrating consumer payment data. Over the past year, the Secret Service has responded to network intrusions at numerous businesses throughout the United States that have been impacted by the “Backoff” malware. Seven PoS system providers/vendors have confirmed that they have had multiple clients affected. Reporting continues on additional compromised locations, involving private sector entities of all sizes, and the Secret Service currently estimates that over 1,000 U.S. businesses are affected. Recent investigations revealed that malicious actors are using publicly available tools to locate businesses that use remote desktop applications. Remote desktop solutions like Microsofts Remote Desktop [ apps.microsoft/windows/en-us/app/remote-desktop/051f560e-5e9b-4dad-8b2e-fa5e0b05a480 ][1], Apple Remote Desktop [ https://apple/remotedesktop/ ][2], Chrome Remote Desktop [ https://chrome.google/webstore/category/apps?hl=en ][3], Splashtop 2 [ splashtop/downloads-all ] [4], Pulseway [ apps.microsoft/windows/en-gb/app/pc-monitor/9efc1d1c-6816-48bc-8de7-d4b21a5b3589 ] [5] and LogMeIn [ https://secure.logmein/ ][6] offer the convenience and efficiency of connecting to a computer from a remote location. Once these applications are located, the suspects attempted to brute force the login feature of the remote desktop solution. After gaining access to what was often administrator or privileged access accounts, the suspects were then able to deploy the point-of-sale (PoS) malware and subsequently exfiltrate consumer payment data via an encrypted POST request. Organizations that believe they have been impacted should contact their local Secret Service field office and may contact the NCCIC for additional information. Description “Backoff” is a family of PoS malware and has been discovered recently. The malware family has been witnessed on at least three separate forensic investigations. Researchers have identified three primary variants to the “Backoff” malware including 1.4, 1.55 (“backoff”, “goo”, “MAY”, “net”), and 1.56 (“LAST”). These variations have been seen as far back as October 2013 and continue to operate as of July 2014. In total, the malware typically consists of the following four capabilities. An exception is the earliest witnessed variant (1.4) which does not include keylogging functionality. Additionally, 1.55 ‘net’ removed the explorer.exe injection component: * Scraping memory for track data * Logging keystrokes * Command & control (C2) communication * Injecting malicious stub into explorer.exe The malicious stub that is injected into explorer.exe is responsible for persistence in the event the malicious executable crashes or is forcefully stopped. The malware is responsible for scraping memory from running processes on the victim machine and searching for track data. Keylogging functionality is also present in most recent variants of “Backoff”. Additionally, the malware has a C2 component that is responsible for uploading discovered data, updating the malware, downloading/executing further malware, and uninstalling the malware.
Posted on: Mon, 25 Aug 2014 16:37:34 +0000
Trending Topics
Recently Viewed Topics
© 2015