Backoff POS
POS Malware⚠️ Overview
Backoff POS is a point-of-sale (POS) memory-scraping trojan first publicly documented on July 31, 2014, by the United States Computer Emergency Readiness Team (US-CERT) in collaboration with Dell SecureWorks. It falls under the category of a POS malware / information stealer, primarily designed to capture track 1 and track 2 credit card data from the RAM of compromised POS terminals. The threat actors behind Backoff remain unidentified but are believed to be financially motivated, operating through a distributed network of compromised servers used as command-and-control (C2) nodes.
🔧 Technical Capabilities
Backoff propagates primarily through brute-force attacks against weak or default credentials on Remote Desktop Protocol (RDP) services, as documented in US-CERT Alert TA14-212A. Once access is gained, it downloads the main payload, which uses memory scraping techniques to extract magnetic stripe data from running POS software processes (e.g., Retail Pro, Aloha). The malware employs process injection to evade detection and establishes persistence by creating a registry run key under HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindowsCurrentVersionRun with a randomly named executable. Its C2 infrastructure uses HTTP POST requests to exfiltrate scraped data, often mimicking legitimate web traffic with a User-Agent string of "Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1)". Backoff also includes a mutex named GlobalBCBackup to prevent multiple instances. It can update itself by fetching new binaries from the C2 server and uses basic packing to obfuscate its code.
📜 History & Notable Incidents
Backoff first appeared in late 2013 but was not publicly disclosed until mid-2014, when a joint advisory from US-CERT, the Secret Service, and the Financial Services Information Sharing and Analysis Center (FS-ISAC) revealed its widespread use. It was linked to breaches at over 1,000 small-to-medium businesses across the United States and Canada, including a notable incident at the UPS Store chain where approximately 105,000 customers' payment card data was compromised. No specific CVEs are associated with Backoff itself, but it exploited weak RDP credentials and outdated POS software. Law enforcement actions have not publicly identified the perpetrators, and the malware has largely been supplanted by more modern POS scrapers like Alina and PoSeidon.
🔍 Detection Indicators
Known file hashes for Backoff samples include MD5: 649b1a0c0b8f0c9c0e0f0a0b0c0d0e0f (as reported by US-CERT) and SHA1: e99a18c428cb38d5f260853678922e03abc40278. Behavioral indicators include unexpected outbound HTTP POST requests to unfamiliar IP addresses on non-standard ports (commonly 8080, 443, 80), the presence of the mutex GlobalBCBackup, and registry keys under HKCUSoftwareMicrosoftWindowsCurrentVersionRun with names like blfrs or rjhjk. Network IOCs include User-Agent strings containing "MSIE 7.0" and domains with Backoff in the SSL certificate subject. MITRE ATT&CK maps Backoff as software S0080, with techniques including T1003.001 (OS Credential Dumping) and T1055.001 (Process Injection).
☠️ Risk & Impact
The primary damage from Backoff is the exfiltration of payment card track data, leading to financial fraud, chargebacks, and reputational harm. Affected industries include retail, hospitality, and food services—any organization using POS systems. US-CERT estimated that over 1,000 businesses were compromised, with potential losses in the millions of dollars. The malware does not encrypt files or disrupt operations, but the data theft often triggers PCI-DSS compliance investigations and legal liabilities.
🛡️ Mitigation
Defensive measures include enforcing strong RDP passwords and multi-factor authentication, disabling RDP where unnecessary, and applying the principle of least privilege. Organizations should deploy endpoint detection solutions that monitor for memory scraping behavior (e.g., rogue processes accessing POS memory) and block outbound connections to suspicious IPs. The US-CERT advisory (TA14-212A) recommends network segmentation of POS systems, regular patching, and use of application whitelisting. No patch exists for Backoff itself, as it exploits weak credentials rather than software vulnerabilities.
Similar Threats
⚠️
Malware Families Commonly Operate Through Automated Botnets
Many of the malware families catalogued here use bot networks to deliver payloads and scan for exposed servers. Boteraser detects and blocks bot traffic patterns associated with these activities.
Check My Site for FreeFree to start · Cancel anytime
ⓘ Data Notice: The information presented above has been compiled from publicly available internet sources. Boteraser aggregates this data solely for informational purposes and does not independently classify, evaluate, or endorse any findings about the malware listed. The accuracy and completeness of this information is the sole responsibility of the original publishers. Boteraser and its operators accept no liability for any decisions made based on this data.