The document discusses recent point-of-sale (POS) malware breaches, specifically focusing on BlackPOS and FrameworkPOS, detailing their operation and the significant financial impacts they had, such as the Target breach of 2013 which resulted in the theft of 40 million credit card records. It also covers the evolution of POS malware, its detection, and mitigation strategies for retailers to protect against such threats. Key recommendations include rigorous risk assessments, network separation, and ongoing updates to security protocols.

2. Backoff POS Malware
Bringing Criminals
To Where The Money Is

3. Your speakers today
Nick Bilogorskiy
Director of Security Research
Shelendra Sharma
Product Marketing Director

4. Agenda
o Recent Point-of-sale breaches
o BlackPOS recap
o Dissecting FrameworkPOS
o Dissecting Backoff
o Conclusion and Mitigation
o Wrap-up and Q&A
CyphortLabsT-shirt

5. Threat Monitoring &
Research team
________
24X7 monitoring for
malware events
________
Assist customers with
their Forensics and
Incident Response
We enhance malware
detection accuracy
________
False positives/negatives
________
Deep-dive research
We work with the
security ecosystem
________
Contribute to and learn
from malware KB
________
Best of 3rd Party threat
data

6. Recent Breaches
POS malware

7. BlackPOS (Target)
FrameworkPOS (Home Depot)
Backoff POS bot (UPS Stores)
Recent POS Breaches
Nov 2013
Apr 2014
Sep 2014

8. BlackPOS

9. BlackPOS (Kaptoxa)
o November 2013
o 40 million cards stolen
o $500 Million total exposure to Target (Gartner)
o Cards resold on Rescator forum

10. How Did The Target Breach Happen?
o Utility contractor’s Target credentials compromised
o Hackers accessed the Target network
o Uploaded malware to a few POS systems
o Tested malware efficacy and uploaded to the majority
of POS systems
o Data drop locations across the world
10
Login from the HVAC
contractor
Target’s POS updater
server
Target’s internal
server with fileshare
Credit card info transfer
to internal fileshare
Card info infiltration
using FTP to external
drop location
Point of sale network
Compromised drop
locations

11. Who wrote BlackPOS/Potato?
o The suspect in the breach is a person called
“Rescator” aka “Hel”. He is part of a larger
hacker network called “Lampeduza Republic”
o Rescator sold the stolen Target card info in bulk
in underground markets at a price of $20-45
per card.
o Brian Krebs named Andrey Hodirevski from
Ukraine as Rescator.
11
Hel

12. FRAMEWORKPOS

13. FRAMEWORKPOS
o April – Sep 2014
o 56 Million cards leaked
o Copy-cat attack, imitated BlackPOS.
o Cards resold on Rescator forum
o Likely different actors

14. FRAMEWORKPOS Anti-American motivation
o The malware contains links to articles and pictures that
blame America’s in conflicts in Ukraine and Middle East

15. BlackPOS Workflow vs FrameworkPOS Workflow
15
1. Infect System
o Adds to autostart via
service
o POSWDS (Target)
o McAfee Framework
Management
Instrumentation (HD)
2. Steal Info
o Use memory scraping to
find credit card data
o Output to a file locally
o winxml.dll (Target)
o McTrayErrorLogging.dll
(HD)
3. Exfiltrate Info
o Periodically scan the raw
file for updates
o Upload information to the
FTP server

16. Backoff
Backoff

17. Backoff
Backoff

18. Backoff
o Began in October 2013
o Government found it and warned retailers
o Not targeted
o Protected by run-time packer
o Supports keylogging
o Communicates to a C&C, can update itself.

19. Backoff Execution
Source: Trustwave
nUndsa8301nskal
nsskrnl

20. Backoff CNC details
Command parsing function
Every 45 seconds Backoff malware connected to total-updates.com
(81.4.111.176) and asked what to do:

21. Backoff Data Exfiltration
o Collects credit cards from memory scraping
o The data is RC4 encrypted and B64 encoded
o Wait at least 45 seconds before sending out
o Filters for VISA, MasterCard, and Discover cards
o Uses the Luhn Algorithm to check the validity of the
account number

22. Manual imprinting

23. Chip-based smart credit cards: EMV

24. NFC – Apple Pay

25. What we learned
o Most likely each malware is made by
different actors.
o Backoff is a large scale bot, with a POS
scraping feature.
o FrameWorkPOS and BlackPOS were custom,
targeted at dedicated victims.
o Criminals will always be where the money is
at.

26. Mitigation tactics
o Proper risk assessment of company assets
o Well planned network separation
o Accurate threat level prioritization
o Minimalistic endpoints
o Checking for unfamiliar network callbacks
o Upgrade and patch

27. Q and A
o Information sharing and
advanced threats resources
o Blogs on latest threats and
findings
o Tools for identifying malware

28. Thank You!