A new version of the “Backoff” point-of-sale (PoS) malware no longer uses a version number in the malware body, but just uses the version name ROM.
This performs very similarly to Backoff’s previous versions, but modifications have been made to make analysis more difficult and to avoid detection.
In this version, the credit card extracting functionality is still very much the same, but the malware author has added two extra features: hashing the names of the blacklist processes, and storing the stolen credit card information on the local system. Like the previous version, ROM ignores certain processes from being parsed, but instead of simply comparing the process name against its hardcoded blacklist in plaintext, it now uses a table of hashed values.
VIEW FULL STORY