{
	"id": "d728b7ff-243c-44e5-bf77-1327e8db4661",
	"created_at": "2026-04-06T00:17:40.075571Z",
	"updated_at": "2026-04-10T03:21:21.496046Z",
	"deleted_at": null,
	"sha1_hash": "39dbc1e3c9f90cce9aef307414c97235b3f276d1",
	"title": "Backoff Point-of-Sale Malware | CISA",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 97161,
	"plain_text": "Backoff Point-of-Sale Malware | CISA\r\nPublished: 2016-09-30 · Archived: 2026-04-05 17:11:32 UTC\r\nSystems Affected\r\nPoint-of-Sale Systems\r\nOverview\r\nThis advisory was prepared in collaboration with the National Cybersecurity and Communications Integration\r\nCenter (NCCIC), United States Secret Service (USSS), Financial Sector Information Sharing and Analysis Center\r\n(FS-ISAC), and Trustwave Spiderlabs, a trusted partner under contract with the USSS.  The purpose of this release\r\nis to provide relevant and actionable technical indicators for network defense against the PoS malware dubbed\r\n\"Backoff\" which has been discovered exploiting businesses' administrator accounts remotely and exfiltrating\r\nconsumer payment data.\r\nOver the past year, the Secret Service has responded to network intrusions at numerous businesses throughout the\r\nUnited States that have been impacted by the “Backoff” malware. Seven PoS system providers/vendors have\r\nconfirmed that they have had multiple clients affected. Reporting continues on additional compromised locations,\r\ninvolving private sector entities of all sizes, and the Secret Service currently estimates that over 1,000 U.S.\r\nbusinesses are affected.\r\nRecent investigations revealed that malicious actors are using publicly available tools to locate businesses that use\r\nremote desktop applications. Remote desktop solutions like Microsoft's Remote Desktop [1], Apple Remote\r\nDesktop [2], Chrome Remote Desktop [3], Splashtop 2 [4], and LogMeIn [5] offer the convenience and\r\nefficiency of connecting to a computer from a remote location. Once these applications are located, the suspects\r\nattempted to brute force the login feature of the remote desktop solution. After gaining access to what was often\r\nadministrator or privileged access accounts, the suspects were then able to deploy the point-of-sale (PoS) malware\r\nand subsequently exfiltrate consumer payment data via an encrypted POST request.\r\nOrganizations that believe they have been impacted should contact their local Secret Service field office and may\r\ncontact the NCCIC for additional information.\r\n“Backoff” is a family of PoS malware and has been discovered recently. The malware family has been witnessed\r\non at least three separate forensic investigations. Researchers have identified three primary variants to the\r\n“Backoff” malware including 1.4, 1.55 (“backoff”, “goo”, “MAY”, “net”), and 1.56 (“LAST”).\r\nThese variations have been seen as far back as October 2013 and continue to operate as of July 2014. In total, the\r\nmalware typically consists of the following four capabilities. An exception is the earliest witnessed variant (1.4)\r\nwhich does not include keylogging functionality. Additionally, 1.55 ‘net’ removed the explorer.exe injection\r\ncomponent:\r\nScraping memory for track data\r\nhttps://www.us-cert.gov/ncas/alerts/TA14-212A\r\nPage 1 of 10\n\nLogging keystrokes\r\nCommand \u0026 control (C2) communication\r\nInjecting malicious stub into explorer.exe\r\nThe malicious stub that is injected into explorer.exe is responsible for persistence in the event the malicious\r\nexecutable crashes or is forcefully stopped. The malware is responsible for scraping memory from running\r\nprocesses on the victim machine and searching for track data. Keylogging functionality is also present in most\r\nrecent variants of “Backoff”. Additionally, the malware has a C2 component that is responsible for uploading\r\ndiscovered data, updating the malware, downloading/executing further malware, and uninstalling the malware.\r\nVariants\r\nBased on compiled timestamps and versioning information witnessed in the C2 HTTP POST requests, “Backoff”\r\nvariants were analyzed over a seven month period. The five variants witnessed in the “Backoff” malware family\r\nhave notable modifications, to include:\r\n1.55 “backoff”\r\nAdded Local.dat temporary storage for discovered track data\r\nAdded keylogging functionality\r\nAdded “gr” POST parameter to include variant name\r\nAdded ability to exfiltrate keylog data\r\nSupports multiple exfiltration domains\r\nChanged install path\r\nChanged User-Agent\r\n1.55 “goo”\r\nAttempts to remove prior version of malware\r\nUses 8.8.8.8 as resolver\r\n1.55 “MAY”\r\nNo significant updates other than changes to the URI and version name\r\n1.55 “net”\r\nRemoved the explorer.exe injection component\r\n1.56 “LAST”\r\nRe-added the explorer.exe injection component\r\nSupport for multiple domain/URI/port configurations\r\nModified code responsible for creating exfiltration thread(s)\r\nAdded persistence techniques\r\nCommand \u0026 Control Communication\r\nhttps://www.us-cert.gov/ncas/alerts/TA14-212A\r\nPage 2 of 10\n\nAll C2 communication for “Backoff” takes place via HTTP POST requests. A number of POST parameters are\r\nincluded when this malware makes a request to the C\u0026C server.\r\nop : Static value of ‘1’\r\nid : randomly generated 7 character string\r\nui : Victim username/hostname\r\nwv : Version of Microsoft Windows\r\ngr (Not seen in version 1.4) : Malware-specific identifier\r\nbv : Malware version\r\ndata (optional) : Base64-encoded/RC4-encrypted data\r\nThe ‘id’ parameter is stored in the following location, to ensure it is consistent across requests:\r\nHKCU\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\identifier\r\nIf this key doesn’t exist, the string will be generated and stored. Data is encrypted using RC4 prior to being\r\nencoded with Base64. The password for RC4 is generated from the ‘id’ parameter, a static string of\r\n‘jhgtsd7fjmytkr’, and the ‘ui’ parameter. These values are concatenated together and then hashed using the MD5\r\nalgorithm to form the RC4 password. In the above example, the RC4 password would be\r\n‘56E15A1B3CB7116CAB0268AC8A2CD943 (The MD5 hash of ‘vxeyHkSjhgtsd7fjmytkrJosh @ PC123456).\r\nFile Indicators:\r\nThe following is a list of the Indicators of Compromise (IOCs) that should be added to the network security to\r\nsearch to see if these indicators are on their network.\r\n1.4\r\nPacked MD5: 927AE15DBF549BD60EDCDEAFB49B829E\r\nUnpacked MD5: 6A0E49C5E332DF3AF78823CA4A655AE8\r\nInstall Path: %APPDATA%\\AdobeFlashPlayer\\mswinsvc.exe\r\nMutexes:\r\nuhYtntr56uisGst\r\nuyhnJmkuTgD\r\nFiles Written:\r\n%APPDATA%\\mskrnl\r\n%APPDATA%\\winserv.exe\r\n%APPDATA%\\AdobeFlashPlayer\\mswinsvc.exe\r\nStatic String (POST Request): zXqW9JdWLM4urgjRkX\r\nhttps://www.us-cert.gov/ncas/alerts/TA14-212A\r\nPage 3 of 10\n\nRegistry Keys:\r\nHKCU\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\identifier\r\nHKCU\\ SOFTWARE \\Microsoft\\Windows\\CurrentVersion\\Run\\Windows NT Service\r\nUser-Agent: Mozilla/4.0\r\nURI(s): /aircanada/dark.php\r\n1.55 “backoff”\r\nPacked MD5: F5B4786C28CCF43E569CB21A6122A97E\r\nUnpacked MD5: CA4D58C61D463F35576C58F25916F258\r\nInstall Path: %APPDATA%\\AdobeFlashPlayer\\mswinhost.exe\r\nMutexes:\r\nUndsa8301nskal\r\nuyhnJmkuTgD\r\nFiles Written:\r\n%APPDATA%\\mskrnl\r\n%APPDATA%\\winserv.exe\r\n%APPDATA%\\AdobeFlashPlayer\\mswinhost.exe\r\n%APPDATA%\\AdobeFlashPlayer\\Local.dat\r\n%APPDATA%\\AdobeFlashPlayer\\Log.txt\r\nStatic String (POST Request): ihasd3jasdhkas\r\nRegistry Keys:\r\nHKCU\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\identifier\r\nHKCU\\ SOFTWARE \\Microsoft\\Windows\\CurrentVersion\\Run\\Windows NT Service\r\nUser-Agent: Mozilla/5.0 (Windows NT 6.1; rv:24.0) Gecko/20100101 Firefox/24.0\r\nURI(s): /aero2/fly.php\r\n1.55 “goo”\r\nPa  cked MD5: 17E1173F6FC7E920405F8DBDE8C9ECAC\r\nhttps://www.us-cert.gov/ncas/alerts/TA14-212A\r\nPage 4 of 10\n\nUnpacked MD5: D397D2CC9DE41FB5B5D897D1E665C549\r\nInstall Path: %APPDATA%\\OracleJava\\javaw.exe\r\nMutexes:\r\nnUndsa8301nskal\r\nnuyhnJmkuTgD\r\nFiles Written:\r\n%APPDATA%\\nsskrnl\r\n%APPDATA%\\winserv.exe\r\n%APPDATA%\\OracleJava\\javaw.exe\r\n%APPDATA%\\OracleJava\\Local.dat\r\n%APPDATA%\\OracleJava\\Log.txt\r\nStatic String (POST Request): jhgtsd7fjmytkr\r\nRegistry Keys:\r\nHKCU\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\identifier\r\nHKCU\\ SOFTWARE \\Microsoft\\Windows\\CurrentVersion\\Run\\Windows NT Service\r\nUser-Agent:\r\nURI(s): /windows/updcheck.php\r\n1.55 “MAY”\r\nPacked MD5: 21E61EB9F5C1E1226F9D69CBFD1BF61B\r\nUnpacked MD5: CA608E7996DED0E5009DB6CC54E08749\r\nInstall Path: %APPDATA%\\OracleJava\\javaw.exe\r\nMutexes:\r\nnUndsa8301nskal\r\nnuyhnJmkuTgD\r\nFiles Written:\r\n%APPDATA%\\nsskrnl\r\nhttps://www.us-cert.gov/ncas/alerts/TA14-212A\r\nPage 5 of 10\n\n%APPDATA%\\winserv.exe\r\n%APPDATA%\\OracleJava\\javaw.exe\r\n%APPDATA%\\OracleJava\\Local.dat\r\n%APPDATA%\\OracleJava\\Log.txt\r\nStatic String (POST Request): jhgtsd7fjmytkr\r\nRegistry Keys:\r\nHKCU\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\identifier\r\nHKCU\\ SOFTWARE \\Microsoft\\Windows\\CurrentVersion\\Run\\Windows NT Service\r\nUser-Agent:\r\nURI(s): /windowsxp/updcheck.php\r\n1.55 “net”\r\nPacked MD5: 0607CE9793EEA0A42819957528D92B02\r\nUnpacked MD5: 5C1474EA275A05A2668B823D055858D9\r\nInstall Path: %APPDATA%\\AdobeFlashPlayer\\mswinhost.exe\r\nMutexes:\r\nnUndsa8301nskal\r\nFiles Written:\r\n%APPDATA%\\AdobeFlashPlayer\\mswinhost.exe\r\n%APPDATA%\\AdobeFlashPlayer\\Local.dat\r\n%APPDATA%\\AdobeFlashPlayer\\Log.txt\r\nStatic String (POST Request): ihasd3jasdhkas9\r\nRegistry Keys:\r\nHKCU\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\identifier\r\nHKCU\\ SOFTWARE \\Microsoft\\Windows\\CurrentVersion\\Run\\Windows NT Service\r\nUser-Agent:\r\nURI(s): /windowsxp/updcheck.php\r\nhttps://www.us-cert.gov/ncas/alerts/TA14-212A\r\nPage 6 of 10\n\n1.56 “LAST”\r\nPacked MD5: 12C9C0BC18FDF98189457A9D112EEBFC\r\nUnpacked MD5: 205947B57D41145B857DE18E43EFB794\r\nInstall Path: %APPDATA%\\OracleJava\\javaw.exe\r\nMutexes:\r\nnUndsa8301nskal\r\nnuyhnJmkuTgD\r\nFiles Written:\r\n%APPDATA%\\nsskrnl\r\n%APPDATA%\\winserv.exe\r\n%APPDATA%\\OracleJava\\javaw.exe\r\n%APPDATA%\\OracleJava\\Local.dat\r\n%APPDATA%\\OracleJava\\Log.txt\r\nStatic String (POST Request): jhgtsd7fjmytkr\r\nRegistry Keys:\r\nHKCU\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\identifier\r\nHKCU\\ SOFTWARE \\Microsoft\\Windows\\CurrentVersion\\Run\\Windows NT Service\r\nHKLM\\ SOFTWARE \\Microsoft\\Windows\\CurrentVersion\\Run\\Windows NT Service\r\nHKCU\\SOFTWARE\\\\Microsoft\\Active Setup\\Installed Components\\{B3DB0D62-B481-4929-888B-49F426C1A136}\\StubPath\r\nHKLM\\SOFTWARE\\\\Microsoft\\Active Setup\\Installed Components\\{B3DB0D62-B481-4929-888B-49F426C1A136}\\StubPath\r\nUser-Agent: Mozilla/5.0 (Windows NT 6.1; rv:24.0) Gecko/20100101 Firefox/24.0\r\nURI(s):  /windebug/updcheck.php\r\nImpact\r\nThe impact of a compromised PoS system can affect both the businesses and consumer by exposing customer data\r\nsuch as names, mailing addresses, credit/debit card numbers, phone numbers, and e-mail addresses to criminal\r\nelements. These breaches can impact a business’ brand and reputation, while consumers’ information can be used\r\nhttps://www.us-cert.gov/ncas/alerts/TA14-212A\r\nPage 7 of 10\n\nto make fraudulent purchases or risk compromise of bank accounts. It is critical to safeguard your corporate\r\nnetworks and web servers to prevent any unnecessary exposure to compromise or to mitigate any damage that\r\ncould be occurring now.\r\nSolution\r\nAt the time this advisory is released, the variants of the “Backoff’ malware family are largely undetected by anti-virus (AV) vendors. However, shortly following the publication of this technical analysis, AV companies will\r\nquickly begin detecting the existing variants. It’s important to maintain up‐to‐date AV signatures and engines as\r\nnew threats such as this are continually being added to your AV solution. Pending AV detection of the malware\r\nvariants, network defenders can apply indicators of compromise (IOC) to a variety of prevention and detection\r\nstrategies.[6] ,[7] ,[8] IOCs can be found above.\r\nThe forensic investigations of compromises of retail IT/payment networks indicate that the network compromises\r\nallowed the introduction of memory scraping malware to the payment terminals. Information security\r\nprofessionals recommend a defense in depth approach to mitigating risk to retail payment systems. While some of\r\nthe risk mitigation recommendations are general in nature, the following strategies provide an approach to\r\nminimize the possibility of an attack and mitigate the risk of data compromise:\r\nRemote Desktop Access\r\nConfigure the account lockout settings to lock a user account after a period of time or a specified number\r\nof failed login attempts. This prevents unlimited unauthorized attempts to login whether from an\r\nunauthorized user or via automated attack types like brute force.[9]\r\nLimit the number of users and workstation who can log in using Remote Desktop.\r\nUse firewalls (both software and hardware where available) to restrict access to remote desktop listening\r\nports (default is TCP 3389).[10]\r\nChange the default Remote Desktop listening port.\r\nDefine complex password parameters. Configuring an expiration time and password length and complexity\r\ncan decrease the amount of time in which a successful attack can occur.[11]\r\nRequire two-factor authentication (2FA) for remote desktop access.[12]\r\nInstall a Remote Desktop Gateway to restrict access.[13]\r\nAdd an extra layer of authentication and encryption by tunneling your Remote Desktop through IPSec,\r\nSSH or SSL.[14] ,[15]\r\nRequire 2FA when accessing payment processing networks. Even if a virtual private network is used, it is\r\nimportant that 2FA is implemented to help mitigate keylogger or credential dumping attacks.\r\nLimit administrative privileges for users and applications.\r\nPeriodically review systems (local and domain controllers) for unknown and dormant users.\r\nNetwork Security\r\nReview firewall configurations and ensure that only allowed ports, services and Internet protocol (IP)\r\naddresses are communicating with your network. This is especially critical for outbound (e.g., egress)\r\nfirewall rules in which compromised entities allow ports to communicate to any IP address on the Internet.\r\nHackers leverage this configuration to exfiltrate data to their IP addresses.\r\nhttps://www.us-cert.gov/ncas/alerts/TA14-212A\r\nPage 8 of 10\n\nSegregate payment processing networks from other networks.\r\nApply access control lists (ACLs) on the router configuration to limit unauthorized traffic to payment\r\nprocessing networks.\r\nCreate strict ACLs segmenting public-facing systems and back-end database systems that house payment\r\ncard data.\r\nImplement data leakage prevention/detection tools to detect and help prevent data exfiltration.\r\nImplement tools to detect anomalous network traffic and anomalous behavior by legitimate users\r\n(compromised credentials).\r\nCash Register and PoS Security\r\nImplement hardware-based point-to-point encryption. It is recommended that EMV-enabled PIN entry\r\ndevices or other credit-only accepting devices have Secure Reading and Exchange of Data (SRED)\r\ncapabilities. SRED-approved devices can be found at the Payment Card Industry Security Standards\r\nwebsite.\r\nInstall Payment Application Data Security Standard-compliant payment applications.\r\nDeploy the latest version of an operating system and ensure it is up to date with security patches, anti-virus\r\nsoftware, file integrity monitoring and a host-based intrusion-detection system.\r\nAssign a strong password to security solutions to prevent application modification. Use two-factor\r\nauthentication (2FA) where feasible.\r\nPerform a binary or checksum comparison to ensure unauthorized files are not installed.\r\nEnsure any automatic updates from third parties are validated. This means performing a checksum\r\ncomparison on the updates prior to deploying them on PoS systems. It is recommended that merchants\r\nwork with their PoS vendors to obtain signatures and hash values to perform this checksum validation.\r\nDisable unnecessary ports and services, null sessions, default users and guests.\r\nEnable logging of events and make sure there is a process to monitor logs on a daily basis.\r\nImplement least privileges and ACLs on users and applications on the system.\r\nReferences\r\n[1] Windows Remote Desktop\r\n[2] Apple Remote Desktop\r\n[3] Chrome Remote Desktop\r\n[4] Splashtop\r\n[5] LogMeIn Official Site\r\n[6] Understanding Indicators of Compromise (IOC)\r\n[7] Using Indicators of Compromise in Malware Forensics\r\n[8] Indicators of Compromise: The Key to Early Detection\r\n[9] Configuring Account Lockout\r\nhttps://www.us-cert.gov/ncas/alerts/TA14-212A\r\nPage 9 of 10\n\n[10] Securing Remote Desktop for System Administrators\r\n[11] Account Lockout and Password Concepts\r\n[13] Installing RD Gateway\r\n[14] Networking and Access Technologies\r\n[15] Secure RDS Connections with SSL\r\nRevisions\r\nJuly, 31 2014 - Initial Release|August 18, 2014 - Minor revision to remote desktop solutions list|August 22, 2014 -\r\nChanges to the Overview section|August 26, 2014 - Minor revision to remote desktop solutions list\r\nSource: https://www.us-cert.gov/ncas/alerts/TA14-212A\r\nhttps://www.us-cert.gov/ncas/alerts/TA14-212A\r\nPage 10 of 10",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"ETDA"
	],
	"references": [
		"https://www.us-cert.gov/ncas/alerts/TA14-212A"
	],
	"report_names": [
		"TA14-212A"
	],
	"threat_actors": [],
	"ts_created_at": 1775434660,
	"ts_updated_at": 1775791281,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/39dbc1e3c9f90cce9aef307414c97235b3f276d1.pdf",
		"text": "https://archive.orkl.eu/39dbc1e3c9f90cce9aef307414c97235b3f276d1.txt",
		"img": "https://archive.orkl.eu/39dbc1e3c9f90cce9aef307414c97235b3f276d1.jpg"
	}
}