The Nuix Cyber Threat Analysis Team has recently discovered a piece of malware that is responsible for propagating the newly discovered Backoff point of sale (PoS) malware family. This post will describe the malware in detail, and infer potential authorship of Backoff based on details we found during analysis.
Backoff is a PoS malware family that the United States Computer Emergency Readiness Team (US-CERT) announced in an alert at the end of July 2014 (see this PDF for further details).
Here are technical analyses of the malware from SpiderLabs, Trend Micro and Fortinet.
The malware is responsible for logging keystrokes and scraping memory for card data. It also has a command-and-control component for updates and data exfiltration.
We have discovered a piece of malware that is responsible for propagation of Backoff after an initial machine has been compromised. The specific sample that is being discussed has the SHA1 hash of:
We found that the malware had been uploaded to VirusTotal (and can be found here).
Static analysis of the file quickly revealed that two Microsoft Windows executables are embedded within the malware.
We extracted these files from the original malware and discovered the following files:
PSExec 1.98 (7540FED53C1FF761F926F2D4289858D1A567AF8F)
Backoff 1.55 ‘net’ (66C83ACF5B852110493706D364BEA53E48912463)
PSExec is a utility system administrators often use to execute commands or install programs remotely.
The specific flow of the malware is quite straightforward:
- Generate a five-uppercase-letter executable name in the victim’s %TEMP% directory.
- Drop the PSExec file to this location.
- Generate another five-uppercase-letter executable name in the victim’s %TEMP% directory.
- Drop the Backoff malware to this location.
- Find any connected machines using the Microsoft Windows ‘net view’
- Push Backoff to any connected machines using the PSExec utility.
I’ve also expressed this flow of execution in a visual form below.
NetworkSpreader execution flowchart
The PSExec command used to run Backoff on connected machines is as follows:
[path_to_psexec] [hostname] -accepteula -d -c [path_to_backoff]
The ‘-accepteula’ parameter ensures that the utility’s EULA acceptance screen is not displayed. The ‘-d’ parameter runs Backoff in non-interactive mode. In other words, PSExec will not wait for Backoff to finish running. Finally, the ‘-c’ parameter copies the Backoff binary to the remote machine.
The malware has a helpful undocumented feature. By passing the argument of ‘debug’ when the executable is run, the propagation malware will create and write debug statements to a ‘dbg.txt’ text file. This file is generated in the same directory the malware is run from.
Overall, I think you’ll agree that the malware in question is quite simplistic. However, this simple technique proves quite effective; it accomplishes its goal in a very clean way. If I had to speculate, I’d guess that this file was likely written for a one-off situation that arose in the midst of a compromise.
Potential Backoff authorship
There has been lot of speculation about who is behind the Backoff malware family. From the TrendMicro write-up, it looks like the installation routine was taken directly from the Alina malware family. Previous research performed by Xylitol provided further evidence that Alina and Dexter share a common link.
Dexter and Alina are both PoS malware families that have been responsible for a large number of breaches in recent years. You can find more information about Dexter from Arbor Networks, Seculert and SpiderLabs, and more about Alina from Xylitol, Sophos and SpiderLabs.
Additionally, the author of the Dexter family goes by the handle ‘Dice’.
The sample we identified contains an interesting debug string that is generated when the malware is compiled:
Debug string discovered in NetworkSpreader
This debug string ‘C:\Users\dice\Desktop\networkspreader\networkspreader\Release\networkspreader.pdb’ provides a wealth of information. The path that this file was compiled from indicates that this binary was named ‘networkspreader’, which would have been a clue into its functionality had we not already analyzed it. Additionally, the ‘C:\Users’ path indicates that this file was compiled from a Microsft Windows Vista or higher operating system. Finally, and arguably the most important detail, the username of the author appears to be ‘dice’—the very same handle that was linked to the Dexter malware.
Further, compile timestamps show that this network spreading malware was compiled a mere seven minutes after the encrypted Backoff 1.55 ‘net’ sample that was embedded. Additionally, the un-encrypted version of Backoff had a timestamp three minutes prior to the encrypted copy.
- NetworkSpreader Compile Timestamp: 2014-04-29 13:23:36 -0600
- Encrypted Backoff 1.55 ‘net’ Compile Timestamp: 2014-04-29 13:16:37 -0600
- Unencrypted Backoff 1.55 ‘net’ Compile Timestamp: 2014-04-29 13:13:54 -0600
This information further adds to the evidence that ‘dice’ is the author behind Backoff, or at the very least, has access to the Backoff source code.
Overall, this malware sample was quite interesting. While the actions this malware performs are anything but sophisticated, it provides an interesting glimpse of how the Backoff malware family spreads on a compromised network after the initial compromise. Additionally, debug strings found within the ‘networkspreader’ malware strongly suggest that the author of Dexter may also be behind the Backoff malware family.