U.S. CISA adds a Microsoft SharePoint Server flaw to its Known Exploited Vulnerabilities catalog|430,000 FortiGate Devices Exposed in FortiBleed Ransomware Link|Adobe fixed multiple maximum-severity flaws in ColdFusion and Campaign Classic|Alleged Scattered Spider Hacker Extradited to U.S. to Face Cybercrime Charges|Oracle E-Business Suite Flaw Under Active Attack, 950 Systems Exposed|Azure CLI Targeted in LSHIY Password Spray Campaign Across 64 Orgs|CISA Warns BlueHammer Flaw Is Now Exploited in Ransomware Attacks|RustDuck: The Botnet That’s Still Small but Engineering Like It Plans to Grow|GuardFall Flaw Hits 10 of 11 Popular Open-Source AI Agents|XSS.is, The Forum That Ran the Ransomware Supply Chain Is Down. The Market Isn’t|U.S. CISA adds SimpleHelp flaw to its Known Exploited Vulnerabilities catalog|Hackers Steal Data of 4.38 Million Aflac Japan Customers|U.S. CISA adds a Microsoft SharePoint Server flaw to its Known Exploited Vulnerabilities catalog|430,000 FortiGate Devices Exposed in FortiBleed Ransomware Link|Adobe fixed multiple maximum-severity flaws in ColdFusion and Campaign Classic|Alleged Scattered Spider Hacker Extradited to U.S. to Face Cybercrime Charges|Oracle E-Business Suite Flaw Under Active Attack, 950 Systems Exposed|Azure CLI Targeted in LSHIY Password Spray Campaign Across 64 Orgs|CISA Warns BlueHammer Flaw Is Now Exploited in Ransomware Attacks|RustDuck: The Botnet That’s Still Small but Engineering Like It Plans to Grow|GuardFall Flaw Hits 10 of 11 Popular Open-Source AI Agents|XSS.is, The Forum That Ran the Ransomware Supply Chain Is Down. The Market Isn’t|U.S. CISA adds SimpleHelp flaw to its Known Exploited Vulnerabilities catalog|Hackers Steal Data of 4.38 Million Aflac Japan Customers|
Advertisement

Ad Placeholder

Full Width × 90

Cyber Crime

ROM is the new improved strain of the Backoff PoS Malware

Security experts at Fortinet detected a new variant of Backoff malicious code dubbed ROM, which is an improved version of the popular POS malware. A new strain of the Backoff point of sale malware has been detected in the wild by security experts at Fortinet, the new variant dubbed ROM (W32/Backoff.B!tr.spy) appears more fine-tuned. Like Backoff, ROM […]

ROM is the new improved strain of the Backoff PoS Malware

Security experts at Fortinet detected a new variant of Backoff malicious code dubbed ROM, which is an improved version of the popular POS malware.

A new strain of the Backoff point of sale malware has been detected in the wild by security experts at Fortinet, the new variant dubbed ROM (W32/Backoff.B!tr.spy) appears more fine-tuned.

Like Backoff, ROM is able extract Track 1 and Track 2 of credit/debit card used on PoS terminals for payments.

Recently the chain of restaurants Dairy Queen announced in an official statement that Backoff infected POS systems at nearly 400 of its stores, but the diffusion of the malicious agent is significant as explained by the Experts at Kaspersky Lab the estimated that more than 1,000 infections were locates in the US.

The new variant ROM implements more sophisticated evasion detection techniques and unlike previous versions it doesn’t disguise itself as a Java component, but instead, a media player using the mplaterc.exe.Once the ROM has copied itself to the infected machine it invoke WinExec API that replaces names with hashed values in order to thwart analysis process.

“To hinder the analysis process, the malware author utilizes a very common technique by replacing API names with the hashed values, and a custom hashing function is called to look up the API name with the equivalent hash value.” states Hong Kei Chan, a junior antivirus analyst with Fortinet a blog post.

The ROM malware ignores certain processes from being parsed, exactly like other Backoff variants, but it use uses a table of hashed values that identify them as explained by Chan:

“Like the previous version, ROM ignores certain processes from being parsed, but instead of simply comparing the process name against its hardcoded blacklist in plaintext, it now uses a table of hashed values,” Chan said.

BackOff Rom process blacklist

The expert also explained that ROM encrypts traffic to the C&C server making hard its detection, the malicious code also stores the stolen credit card data in encrypted format using two hard-coded strings.

Unfortunately malware authors are improving the ROM malware, researchers expect newer version that will infect other POS systems worldwide.

In time I’m writing Fortinet announced to have found a newer version of Backoff on October 28th, 2014 that its researchers are currently analyzing.

For further information on Backoff malware refer also the security bulletin issued in July by the US-CERT.

Pierluigi Paganini

Security Affairs –  (Backoff malware, ROM)