"BackOff" POS High Level Analysis: Exposing Additional Sensitive Targets and Additional Toolkits in The Cyber Criminal Arsenal
Posted by Elad Sharf on 06 August 2014 11:30 AM
Websense® Security Labs™ has received reports about the new "Point Of Sale" malware dubbed "BackOff" as published by The US Homeland Security office. We have decided to explore the activity through ThreatSeeker® Intelligence Cloud. Our research shows some interesting finds that conform with what was shared in the original "Backoff" publication, but also adds some intelligence information that sheds more light about the industries targeted in this campaign. It shows that the actors behind it could be potentially targeting more than just POS retailers, and that toolkits used in this campaign are not limited to "memory scrapers" but also include other toolkits like the infamous Zeus, Spyeye, Citadel malware, and also a worm that spreads through peripheral devices called Gamarue.
(Please note: hosts that are part of this campaign are blurred at this time to not disrupt any concurrent active investigation committed by the authorities.)
Research From The Bird's Eye View
Looking at one of the first samples according to the paper published by the US Dept. of Homeland Security (SHA1:caf546e3ee1a1d2768ec37428de1ff7032beea94), we verified the version of the malware in one of its earlier versions: 1.4 and that the command and control point was at dom<*snipped*>12.com. This command and control host seems to be one of the most popular ones in this campaign and got one of the highest numbers of hits as observed from our telemetry data.
One of the interesting observations we made is that this domain wasn't registered through any services that are meant to hide the identity of the registrant; this was unlike subsequent domains used in this campaign that were registered through an anonymizing Chinese registrar. The domain dom<*snipped*>12.com was registered on the 13th of October 2013 for one year, which ties perfectly with the start of the campaign according to the paper. Here is a snapshot of the registry information of dom<*snipped*>12.com:
Looking at Threat Intelligence sources, we've found more hosts registered by the same registrant; the activity that we've spotted involved with those domains was exclusively associated with CyberCrime (you can also find the list attached to this blog):
Lateral Targets: Retailers +