{
	"id": "a22544de-cb72-4693-bac3-0146e34b9943",
	"created_at": "2026-04-06T00:22:33.127579Z",
	"updated_at": "2026-04-10T03:24:30.308723Z",
	"deleted_at": null,
	"sha1_hash": "99d3c5d7e3e9057465fd0e40ffd3b60350cc1721",
	"title": "Sinkholing the Backoff POS Trojan",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 169490,
	"plain_text": "Sinkholing the Backoff POS Trojan\r\nBy Costin Raiu\r\nPublished: 2014-08-29 · Archived: 2026-04-05 19:41:12 UTC\r\nThere is currently a lot of buzz about the Backoff point-of-sale Trojan that is designed to steal credit card\r\ninformation from computers that have POS terminals attached.\r\nTrustwave SpiderLab, which originally discovered this malware, posted a very thorough analysis in July.  The\r\nU.S. Secret Service, in partnership with DHS, followed up with an advisory.\r\nAlthough very thorough, the existing public analyses of Backoff are missing a very relevant piece of information:\r\nthe command-and-control (C\u0026C) servers. However, if you have access to the samples it isn’t hard to extract this\r\ninformation. At the end of this document, you can find a full list together with other IOCs (indicators of\r\ncompromise).\r\nBackoff malware configuration, with C\u0026Cs\r\nWe sinkholed two C\u0026C servers that Backoff samples used to communicate with their masters. These C\u0026C servers\r\nare used by certain samples that were compiled from January – March 2014. Over the past few days, we\r\nobserved over 100 victims in several countries connecting to the sinkhole.\r\nStatistics:\r\nhttps://securelist.com/sinkholing-the-backoff-pos-trojan/66305/\r\nPage 1 of 6\n\nThere were several interesting victims among them:\r\nA global freight shipping and transport logistics company with headquarters in North America.\r\nA U.K.-based charitable organization that provides support, advice and information to local voluntary\r\norganizations and community groups.\r\nA payroll association in North America.\r\nA state institute connected with information technology and communication in Eastern Europe.\r\nA liquor store chain in the U.S.\r\nAn ISP in Alabama, U.S.\r\nA U.S.-based Mexican food chain.\r\nA company that owns and manages office buildings in California, U.S.\r\nA Canadian company that owns and operates a massive chain of restaurants.\r\nThere are also a lot of home user lines, mostly in the U.S. and Canada, connecting to the sinkhole. This is to be\r\nexpected as many smaller businesses generally tend to run those rather than dedicated corporate connections.\r\nConclusions\r\nThe success of Backoff paints a very bleak picture of the state of point-of-sale security. Our sinkhole covers less\r\nthan 5% of the C\u0026C channels and the sinkholed domains only apply to certain Backoff samples that were created\r\nin the first quarter of this year. Yet, we’ve seen more than 85 victims connecting to our sinkhole.\r\nhttps://securelist.com/sinkholing-the-backoff-pos-trojan/66305/\r\nPage 2 of 6\n\nMost of these victims are located in North America and some of them are high profile. Taking into account the\r\nU.S. Secret Service statement, it’s a pretty safe bet that the number of Backoff infections at businesses in North\r\nAmerica is well north of 1,000.\r\nSince its appearance last year, Backoff has not changed dramatically. The author created both non-obfuscated and\r\nobfuscated samples. This was likely done to defeat the security controls on the targeted networks. However, the\r\ndefenses running on a PoS terminal and/or network should not have been affected by this. This speaks volumes\r\nabout the current state of PoS security, and other cybercriminals are sure to have taken note.\r\nIt’s very clear that PoS networks are prime targets for malware attacks. This is especially true in the US, which\r\nstill doesn’t support EMV chip-enabled cards. Unlike magnetic strips, EMV chips on credit cards can’t be easily\r\ncloned, making them more resilient. Unfortunately, the US is adopting chip and signature, rather than chip and\r\nPIN. This effectively negates some of the added security EMV can bring.\r\nThis may prove another costly mistake. Not adopting EMV along with the rest of the world is really haunting\r\nretail in the U.S. and the situation is not likely to change anytime soon.\r\nIOCs / C\u0026Cs:\r\nTrojan file paths:\r\n%APPDATA%\\AdobeFlashPlayer\\mswinsvc.exe\r\n%APPDATA%\\AdobeFlashPlayer\\mswinhost.exe\r\n%APPDATA%\\AdobeFlashPlayer\\Local.dat\r\n%APPDATA%\\AdobeFlashPlayer\\Log.txt\r\n%APPDATA%\\mskrnl\r\n%APPDATA%\\nsskrnl\r\n%APPDATA%\\winserv.exe\r\n%APPDATA%\\OracleJava\\javaw.exe\r\n%APPDATA%\\OracleJava\\javaw.exe\r\n%APPDATA%\\OracleJava\\Local.dat\r\n%APPDATA%\\OracleJava\\Log.txt\r\nKaspersky names for the Trojans:\r\nHEUR:Trojan.Win32.Invader\r\nHEUR:Trojan.Win32.Generic\r\nBackdoor.Win32.Backoff\r\nTrojan.Win32.Agent.ahhia\r\nTrojan.Win32.Agent.agvmh\r\nTrojan.Win32.Agent.aeyfj\r\nTrojan-Spy.Win32.Recam.qq\r\nTrojan-Dropper.Win32.Sysn.ajci\r\nTrojan.Win32.Bublik.covz\r\nhttps://securelist.com/sinkholing-the-backoff-pos-trojan/66305/\r\nPage 3 of 6\n\nTrojan-Dropper.Win32.Dapato.dddq\r\nTrojan.Win32.Agent.agufs\r\nTrojan.Win32.Agent.ahbhh\r\nTrojan.Win32.Agent.agigp\r\nTrojan.Win32.Agent.aeqsu\r\nTrojan.Win32.Agent.ahgxs\r\nTrojan.Win32.Inject.mhjl\r\nTrojan.Win32.Agent.ahbhh\r\nTrojan.Win32.Agent.ahhee\r\nTrojan.Win32.Agent.ahgxs\r\nMD5s:\r\n684e03daaffa02ffecd6c7747ffa030e\r\n3ff0f444ef4196f2a47a16eeec506e93\r\n12c9c0bc18fdf98189457a9d112eebfc\r\n14cca3ad6365cb50751638d35bdb84ec\r\nd0f3bf7abbe65b91434905b6955203fe\r\n38e8ed887e725339615b28e60f3271e4\r\n7b027599ae15512256bb5bc52e58e811\r\n5cdc9d5998635e2b91c0324465c6018f\r\n821ac2580843cb0c0f4baff57db8962e\r\nb08d4847c370f79af006d113b3d8f6cf\r\n17e1173f6fc7e920405f8dbde8c9ecac\r\n874cd0b7b22ae1521fd0a7d405d6fa12\r\nea0c354f61ba0d88a422721caefad394\r\n6a0e49c5e332df3af78823ca4a655ae8\r\n8a019351b0b145ee3abe097922f0d4f6\r\n337058dca8e6cbcb0bc02a85c823a003\r\n842e903b955e134ae281d09a467e420a\r\nd1d544dbf6b3867d758a5e7e7c3554bf\r\n01f0d20a1a32e535b950428f5b5d6e72\r\nfc041bda43a3067a0836dca2e6093c25\r\n4956cf9ddd905ac3258f9605cf85332b\r\nf5b4786c28ccf43e569cb21a6122a97e\r\ncc640ad87befba89b440edca9ae5d235\r\n0b464c9bebd10f02575b9d9d3a771db3\r\nd0c74483f20c608a0a89c5ba05c2197f\r\nb1661862db623e05a2694c483dce6e91\r\nffe53fb9280bf3a8ceb366997488486e\r\nc0d0b7ffaec38de642bf6ff6971f4f9e\r\n05f2c7675ff5cda1bee6a168bdbecac0\r\n9ee4c29c95ed435644e6273b1ae3da58\r\nhttps://securelist.com/sinkholing-the-backoff-pos-trojan/66305/\r\nPage 4 of 6\n\n0607ce9793eea0a42819957528d92b02\r\n97fa64dfaa27d4b236e4a76417ab51c1\r\n82d811a8a76df0cda3f34fdcd0e26e27\r\n0b7732129b46ed15ff73f72886946220\r\n30c5592a133137a84f61898993e513db\r\naa68ecf6f097ffb01c981f09a21aef32\r\nbbe534abcc0a907f3c18cfe207a5dfca\r\n29e0259b4ea971c72fd7fcad54a0f8d0\r\nC\u0026C domains and hostnames:\r\n00000000000.888[.]ru\r\n10000000000.888[.]ru\r\nadobephotoshop11111[.]com\r\nadobephotoshop22222[.]com\r\ndomain12827312[.]com\r\nhelloflashplayers12345[.]com\r\nhellojavaplayers12345[.]com\r\nilovereservdom213ada2[.]ru\r\niownacarservice[.]ru\r\niownacarservice1[.]com\r\nmsframework1[.]com\r\nmsframework1[.]ru\r\nmsframeworkx64[.]com\r\nmsframeworkx86[.]com\r\nmsframeworkx86[.]ru\r\nmsoffice365net[.]com\r\nnullllllllllll[.]com\r\nollygo030233[.]com\r\nollygo030233[.]ru\r\npop3smtp5imap2[.]com\r\npop3smtp5imap3[.]com\r\npop3smtp5imap4[.]ru\r\nreservedomain12312[.]ru\r\ntotal-updates[.]com\r\nC\u0026C IPs:\r\n146.185.233.32\r\n81.4.111.176\r\n95.211.228.249\r\n217.174.105.86\r\nhttps://securelist.com/sinkholing-the-backoff-pos-trojan/66305/\r\nPage 5 of 6\n\nSource: https://securelist.com/sinkholing-the-backoff-pos-trojan/66305/\r\nhttps://securelist.com/sinkholing-the-backoff-pos-trojan/66305/\r\nPage 6 of 6",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"references": [
		"https://securelist.com/sinkholing-the-backoff-pos-trojan/66305/"
	],
	"report_names": [
		"66305"
	],
	"threat_actors": [
		{
			"id": "aa73cd6a-868c-4ae4-a5b2-7cb2c5ad1e9d",
			"created_at": "2022-10-25T16:07:24.139848Z",
			"updated_at": "2026-04-10T02:00:04.878798Z",
			"deleted_at": null,
			"main_name": "Safe",
			"aliases": [],
			"source_name": "ETDA:Safe",
			"tools": [
				"DebugView",
				"LZ77",
				"OpenDoc",
				"SafeDisk",
				"TypeConfig",
				"UPXShell",
				"UsbDoc",
				"UsbExe"
			],
			"source_id": "ETDA",
			"reports": null
		}
	],
	"ts_created_at": 1775434953,
	"ts_updated_at": 1775791470,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/99d3c5d7e3e9057465fd0e40ffd3b60350cc1721.pdf",
		"text": "https://archive.orkl.eu/99d3c5d7e3e9057465fd0e40ffd3b60350cc1721.txt",
		"img": "https://archive.orkl.eu/99d3c5d7e3e9057465fd0e40ffd3b60350cc1721.jpg"
	}
}