Pierluigi Paganini November 06, 2014

Security experts at Fortinet detected a new variant of Backoff malicious code dubbed ROM, which is an improved version of the popular POS malware.

A new strain of the Backoff point of sale malware has been detected in the wild by security experts at Fortinet, the new variant dubbed ROM (W32/Backoff.B!tr.spy) appears more fine-tuned.

Like Backoff, ROM is able extract Track 1 and Track 2 of credit/debit card used on PoS terminals for payments.

Recently the chain of restaurants Dairy Queen announced in an official statement that Backoff infected POS systems at nearly 400 of its stores, but the diffusion of the malicious agent is significant as explained by the Experts at Kaspersky Lab the estimated that more than 1,000 infections were locates in the US.

The new variant ROM implements more sophisticated evasion detection techniques and unlike previous versions it doesn’t disguise itself as a Java component, but instead, a media player using the mplaterc.exe.Once the ROM has copied itself to the infected machine it invoke WinExec API that replaces names with hashed values in order to thwart analysis process.

“To hinder the analysis process, the malware author utilizes a very common technique by replacing API names with the hashed values, and a custom hashing function is called to look up the API name with the equivalent hash value.” states Hong Kei Chan, a junior antivirus analyst with Fortinet a blog post.

The ROM malware ignores certain processes from being parsed, exactly like other Backoff variants, but it use uses a table of hashed values that identify them as explained by Chan:

“Like the previous version, ROM ignores certain processes from being parsed, but instead of simply comparing the process name against its hardcoded blacklist in plaintext, it now uses a table of hashed values,” Chan said.

The expert also explained that ROM encrypts traffic to the C&C server making hard its detection, the malicious code also stores the stolen credit card data in encrypted format using two hard-coded strings.

Unfortunately malware authors are improving the ROM malware, researchers expect newer version that will infect other POS systems worldwide.

In time I’m writing Fortinet announced to have found a newer version of Backoff on October 28th, 2014 that its researchers are currently analyzing.

For further information on Backoff malware refer also the security bulletin issued in July by the US-CERT.

Pierluigi Paganini

Security Affairs –  (Backoff malware, ROM)