According to a alert released on Thursday by the United States Computer Emergency Readiness Team (US-CERT), attackers are using publicly available tools to locate businesses that use remote desktop applications for conducting their online sales. After locating these remote applications,listed below, they brute force these applications to gain administrator or privileged access accounts and finally use it to deploy the malware.
Some of these remote desktop applications includes Microsoft Remote Desktop, Apple Remote Desktop, Chrome Remote Desktop, Splashtop, Pulseway, and LogMeIn’s join.me
United States Secret Service (USSS), National Cybersecurity and Communications Integration Center (NCCIC), US-CERT and Trustwave Spiderlabs have been working together to characterize newly identified malware dubbed “Backoff”. Initial Investigations suggested that the malware has zero Antivirus detection rate which made it almost undetectable by any major antivirus software.
The malware is responsible for scraping memory from running processes on the victim machine and searching for track data. Additionally, the malware has a C2 component that is responsible for uploading discovered data, updating the malware, downloading/executing further malware, and uninstalling the malware. As per the US-Cert research, the latest updated version Backoff includes a keylogging feature as well thus making it a complete serious threat.
The Backoff Malware or any other POS malware can cause critical damage to any business by exposing customer data such as names, mailing addresses, credit/debit card numbers, phone numbers, and e-mail addresses.
Information Systems & Supplies Inc. (ISS) was one of the victim of the Blackoff POS malware with others that included Target, P. F. Chang’s, Neiman Marcus, Michaels, Sally Beauty Supply, and Goodwill Industries International. As of now it has infected many major corporations as per US-CERT.
The Backoff Malware is undetectable by Anti-virus’s as of now. however by applying strong passwords with two factor authentication reduces the risks of being compromised.
Most of the businesses which were infected by these malwares used default ports for these remote access applications which made it too easier for the attacker to compromise the system.
