BackSwap Trojan exploits standard browser features to empty bank accounts

Creating effective and stealthy banking malware is becoming increasingly difficult, forcing malware authors to come up with innovative methods. The latest creative burst in this malware segment comes from a group that initially came up with malware stealing cryptocurrency by replacing wallet addresses in the clipboard.

BackSwap Trojan

About the BackSwap banking malware

“To steal money from a victim’s account via the internet banking interface, typical banking malware will inject itself or its specialized banking module into the browser’s process address space,” ESET malware researcher Michal Poslušný notes.

The success of this approach depends on the injection not be detected by security solutions, modules matching the bitness of the target browser, and the banking module hooking browser functions, and their location varies from browser to browser.

BackSwap eschews the usual “process injection for monitoring browsing activity” trick. Instead, it handles everything by working with Windows GUI elements and simulating user input.

“This might seem trivial, but it actually is a very powerful technique that solves many ‘issues’ associated with conventional browser injection,” the researcher notes.

“First of all, the malware does not interact with the browser on the process level at all, which means that it does not require any special privileges and bypasses any third-party hardening of the browser, which usually focuses on conventional injection methods. Another advantage for the attackers is that the code does not depend either on the architecture of the browser or on its version, and one code path works for all.”

BackSwap monitors the visited URLs, looks for and detects bank-specific URLs and window titles by hooking key window message loop events.

Once banking activity is detected, the malware injects malicious JavaScript into the web page, either via the browser’s JavaScript console or directly into the address bar (via JavaScript protocol URLs, a little-used feature supported by most browsers). Also interesting is that the malware cleverly bypasses several countermeasures browser makers have implemented to prevent the exploitation of that last feature.

Finally, the injected JavaScript replaces the recipient’s bank account number with the number of an account opened by the attackers or their mules. If the user doesn’t notice the switch and authorizes the transaction, the attack is successful.

BackSwap distribution

At the moment, the malware is made to target customers of five Polish banks (PKO Bank Polski, Bank Zachodni WBK S.A., mBank, ING and Pekao), and will only steal money if the wire transfer amount is between 10,000 and 20,000 Polish zloty (i.e., $2,800 – $5,600).

The targets get infected with the malware by opening malicious attachements attached to spam email, containing the Nemucod or other downloader Trojans.

“The payload is delivered as a modified version of a legitimate application that is partially overwritten by the malicious payload. The application used as the target for the modification is being changed regularly – examples of apps misused in the past include TPVCGateway, SQLMon, DbgView, WinRAR Uninstaller, 7Zip, OllyDbg, FileZilla Server,” the researcher shared.

The app is modified to jump to the malicious code during its initialization and control is transferred to the malware (the legitimate app will not work).

According to Poslušný, the intent of this approach is not to fool users into thinking they are running the legitimate app, but to minimize the possibility of the malware being detected and analyzed.

“This makes the malware harder for an analyst to spot, as many reverse engineering tools like IDA Pro will show the original main() function as a legitimate start of the application code and an analyst might not notice anything suspicious at first glance,” he explained.

Don't miss