Point-of-sale malware has been at the center of numerous high-profile breaches this year. Many of those attacks have involved three pieces of malware – BlackPOS, FrameworkPOS and Backoff.
In a new report, researchers at security firm Cyphort have peeled the layers back from each of these cyber-weapons, which have been linked to attacks on businesses ranging from Target to Home Depot to UPS.
Cyphort co-founder Fengmin Gong believes point-of-sale (PoS) malware has been so impactful this year for three main reasons: retailers have been slow to shore up their defenses; Backoff and its derivatives were quickly adopted by cyber-criminals; and publicity about retail breaches has called attention to the effectiveness of PoS malware.
"There definitely is growing awareness [of PoS malware], pressure from compliance, reputation, threatened law suit, and probably more importantly, top executives losing their jobs," he said. "However, the gap is the practical know-how that prevents them from implementing effective protection."
Recently, security firm Damballa noted that detections of the Backoff malware jumped 57 percent from August to September. During the month of September alone, Backoff infections increased 27 percent.
Among the breaches tied to Backoff is the attack on UPS, according to the Cyphort report. In the report, the firm notes that unlike BlackPOS and FrameworkPOS, Backoff is not oriented toward specific victims. Instead, it is built to operate on random PoS machines, listens to a command and control server and is independent of the retailer’s local infrastructure.
"Backoff is the most sophisticated…mainly because it’s designed to attack a broad spectrum of POS systems, it’s designed with all the modern malware armoring techniques, from protection layers to frustrate static analyses to the behavior armoring to evade simple sandboxing," Gong said. "Since our blog on September 19 and the special report, we have seen more reports, e.g. from both US Secret Service Alerts and Fortinet blog on November 3, pointing to Backoff infections. It appears that Backoff is either sold or shared through a form of SDK (software development kit) by multiple groups. Newer advanced versions are being produced and deployed in new campaigns."
FramworkPOS and BlackPOS, on the other hand, are like off-the-shelf software and are tailored specifically for dedicated targets, the report explains.
"They are most likely not from the same authors but FrameworkPOS leaves the strong impression of a copycat attack after former POS malware incidents," according to the report. "Basic principles and ideas are identical, as of creating a service, scanning chunks of memory, pushing data to a local SMB server and hiding the data in a fake binary file in system root. Still, the implementation methods look very different. FrameworkPOS is very linear, no multi-threading is performed and the data exfiltration is controlled by time intervals rather than coordinated by two threads. Also, FrameworkPOS scans multiple processes, while BlackPOS limits itself to the pos.exe process of the infected POS device. Interestingly, all three families show slightly different memory scraping methods."
Cyphort recommends retailers take a number of steps to improve PoS security, including eliminating unnecessary system capabilities to limit a potential intruder and designing a security baseline that accounts for the complete attack lifecycle hackers have to fulfill to infect a system.
The full report is available online in PDF format.