The United States Computer Emergency Readiness Team (US-CERT) has released an alert, warning the public about a potentially dangerous piece of malware that is circulating. Per investigations, the malware family, Backoff, is being used to actively attack companies running remote desktop applications from Microsoft and Apple, and also specific remote connection software included in Chrome, Splashtop, Pluseway, and LogMeIn. Once the applications are found running, brute force is used to login remotely, take control of administrator accounts, and then plant Backoff on point-of-sale systems.
The Backoff family was first identified in October 2013, but have been exposed as still operating as recently as July 2014.
Successfully installed malware results in the following capabilities:
- Scraping memory for track data
- Logging keystrokes
- Command & control (C2) communication
- Injecting malicious stub into explorer.exe
At the date of release of the alert, AV software is still unable to detect the variants of the Backoff family. Until AV is capable of detecting Backoff, US-CERT is providing recommendations including changing the default Remote Desktop listening port, requiring two-factor authentication, adding encryption, limiting administrative privileges, and other steps.
The full alert is here: Alert (TA14-212A) - Backoff Point-of-Sale Malware
P.S. Microsoft just released EMET 5.0 yesterday and should be considered as another mitigation technique and tool for handling this active exploit.