Backoff Malware: What You Should Know

Jonathan Trull

Last updated on: September 6, 2020

Cyber criminals continue to successfully target and compromise Point-of-Sale (POS) systems, oftentimes stealing millions of credit card records before being discovered. The most recent POS malware, “Backoff” was reported by the United States Computer Emergency Readiness Team (US-CERT) at the end of July and is already affecting companies such as UPS and Dairy Queen. Backoff is a family of malware that has been discovered during several breach investigations targeting POS systems with estimates as high as 1,000 U.S. businesses impacted. Reports by investigators and first responders indicate that the malware and its variants had a low to zero percent anti-virus detection rate, meaning that fully updated anti-virus engines on fully patched computers could not identify the malware as malicious.

Backoff malware typically contains the following capabilities:

  • Scraping memory for track data
  • Logging keystrokes
  • Command & control (C2) communication
  • Injecting a malicious stub into explorer.exe

To install the malware on the POS system, most attackers first scan retailers’ networks to identify remote administration services that are enabled and accessible from the Internet – e.g., windows remote desktop. The attacker then conducts a brute force attack against the services, often compromising an administrator’s account. Using the administrator’s account, the Backoff malware is installed and then credit card data is exfiltrated over an encrypted path back to a command and control server.

To assist our customers in finding Backoff infections, Qualys published QID 1264 (Backoff Point-of-Sale Malware Detected) – see figure below. Using authenticated scanning, QID 1264 searches Microsoft Windows machines for the key indicators of compromise (IOCs) tied to the Backoff malware, including searching for the existence of malware executables. If IOCs are discovered, Qualys will alert security staff who should immediately initiate their incident response process.


If you work or consult for companies with POS systems, I highly recommend that you visit and take the following immediate steps: (1) configure your systems to look for the IOCs listed in the US-CERT alert by scanning for QID 1264, (2) if scanning identifies a suspected Backoff malware infection, immediately initiate your incident response plan and move to quickly contain the malware and stop any outbound traffic potentially containing credit card data, (3) review firewall and security device logs for signs of brute force attacks against remote administration services, (4) limit the Internet exposure of all remote administration tools and services where possible, and (5) implement stringent lockout procedures and two-factor authentication for all remote administration tools and services.

New occurrences of the Backoff POS malware are reported almost on a weekly basis. We hope QID 1264 will help you as a tool to verify that your network is POS malware free.  If you are interested in a technical deepdive on these malware capabilities I recommend this talk by Qualys’ Director of Vulnerability Labs, Amol Sarwate delivered recently at BSides Las Vegas – bg05 anatomy of memory scraping credit card stealing pos malware amol sarwate – YouTube..

Share your Comments


Your email address will not be published. Required fields are marked *