The Backoff malware for payment systems has at least eight variants, researchers said.
The differences are in installation path, registry entries and values, as well as the command and control (C&C) severs contacted for instructions, said researchers at Symantec.
The malware strains create multiple registry entries, all designed to launch the threat when the computer starts, according to the Symantec analysis.
A sign of Backoff infection is also the presence of a file in the Application Data folder, its name consisting of a set of 12 random characters, generated based on the amount of milliseconds elapsed since the start of the computer. An entry in Windows Registry for this file may also end up added.
Details on Backoff first came to light via the US CERT (Computer Emergency Readiness Team) July 31, which said the new PoS malware had been operating since at least October 2013, largely undetected by antivirus products, with low to zero chances of getting caught.
Since October last year until proper detection ended up created August 1, Symantec said their products picked up the threat through other malware signatures.
According to the security company’s telemetry data, most of the infections were in the United States and Canada, but Backoff has also appeared on systems located in the UK and Poland.
Last week, UPS shipment service said Backoff had been collecting credit and debit card information from payment systems in 51 of its locations between January 20 and August 11. The company became aware after a government bulletin came out about the threat.
Another business, Mizado Cocina restaurant in New Orleans, also notified its customers the same threat lurked on its payment systems and exfiltrated financial data of about 8,000 individuals between May 9 and July 18.
An advisory from the Department of Homeland Security (DHS) said more than 1,000 businesses fell victim to the malware, seven PoS providers/vendors confirmed their clients reported network intrusions connected to Backoff.
Backoff reaches the affected device through brute force attacks on the login feature of remote desktop software products. These end up detected by running wide scans for the remote desktop protocol.
The technique used for extracting financial information is memory (RAM) scraping and consists in analyzing the RAM of the compromised system for card track data.
Click here to download more Symantec research.