Often we see malware authors using encryption or obfuscation along with other techniques to modify the static contents of malware. They do this to evade static-based clustering and detection even though the behavior is the same. In many cases obfuscation also helps hide the threat’s malicious intentions from security researchers.
BackOff, a point-of-sale malware designed to steal banking login credentials, is one of the latest to use this method. BackOff creates a fake Oracle Java folder and then drops javaw.exe in the appdata folder, in which the malware binary is copied. This name mimics the legitimate Java file from Oracle. Because the malware is copied into appdata, the original version of the malware gets deleted. A log file (log.txt) is created to store all keystrokes. For example, if the victim types “testing 1 2 3 This is a test,” the log file will store it in the following fashion:
The malware not only stores time and date, but also includes case while logging the keystrokes of the victim. This makes sense because banking and other important credentials are generally case sensitive.
In an earlier variant there was no visible attempt to hide these behaviors. As we can see in the following strings related to the formation of the fake javaw.exe, the keylogging activity is visible in plaintext in the malware.
Some binaries of this malware were so user friendly that they had proper comments to make sure that even a script kiddie could make proper use of it. For example, the following binary has the comment “edit with your URL” so that the keylogs can be uploaded to the controller’s site.
However, such open behavior is not the case in the most recent binaries. The new samples, despite behaving the same way, do not have any obvious static content. The following segment of the variant shows no understandable strings.
We found that the malware uses an extensive encryption algorithm to hide the data revealed in the older variant. The following shows a section of the decryption loop.
This code, expressed as a simple statement, reads:
a[counter] = ( (a[counter+1]-v) and k) or (( shiftleft (a[counter]-v, 4) xor key[i]) )
Where a[counter] is the encrypted array, key[i] is an array consisting of a hardcoded key that will be repeated once it is fully exhausted, and v is another fixed numeral that will change alternately for each cycle of the loop. In this case, for example, with odd iterations it is 0x6c, and for even it is 0x41. And k is a fixed constant.
After decryption we can observe that the control server is visible.
This site is blacklisted by McAfee SiteAdvisor.
McAfee provides generic coverage for both plain and encrypted variants of BackOff, respectively, as “BackOff!” and “EncBackOff!”