Fortinet, a leading provider of high-performance network security solutions, announced that FortiGuard researchers have discovered an even newer variant of the “Backoff” Point-of-Sale malware family, “211G1,” leveraging sophisticated techniques to hinder the analysis process and evade detection.
The newest version, detected as W32/Backoff.C!tr.spy, is now equipped with code that maps the image to its original base address before continuing to execute, putting even more roadblocks to the analysis process.
The malware hides itself in the user’s application data folder but, unlike the previous version, randomly selects a name from a predefined list. The malware is designed to steal credit card numbers off Point of Sale terminals, which could potentially result in millions of stolen cards if a major retailer is hit. Fortinet claims that it is one of two security companies able to detect and block this malware today.
On November 3rd, FortiGuard researchers detected an updated version of “Backoff,” dubbed ROM, which performed many of the same functions as its predecessor, but leveraged a slew of new techniques that made the threat more difficult to detect and analyze. This version circumvented security controls by disguisingitself as a media player with the file name mplayer.exe and dropping a file in the user’s Application Data folder.
FortiGuard researchers have observed that the malware authors are continuing to modify the threat in order to bypass security detection, and recommend that users maintain updated antivirus software to better protect themselves from this evolving threat.