New Backoff PoS malware variant ‘211G1’ detected by FortiGuard researchers

Fortinet FortiGuard researchers have discovered a newer variant of the “Backoff” Point-of-Sale malware family, 211G1, employing even more sophisticated techniques to hinder the analysis process and evade detection.

This version, detected as W32/Backoff.C!tr.spy, is equipped with code that maps the image to its original base address before continuing to execute, putting even more roadblocks to the analysis process. The malware hides itself in the user’s application data folder but, unlike the previous version, randomly selects a name from a predefined list. Fortinet is one of two security companies able to detect and block this malware today.

FortiGuard researchers have already detected an updated version of “Backoff,” dubbed ROM, which performed many of the same functions as its predecessor, but leveraged a slew of new techniques that made the threat more difficult to detect and analyze. This version circumvented security controls by disguising itself as a media player with the file name mplayer.exe and dropping a file in the user’s Application Data folder.

Researchers have observed that the malware authors are continuing to modify the threat in order to bypass security detection, and recommend that users continue to maintain updated antivirus software to better protect themselves from this evolving threat.