View all newsletters
Receive our newsletter - data, insights and analysis delivered to you

Trojan BackSwap Raises New Risks Across Banking Systems

Malware injects malicious JavaScript directly into the address bar

By Shrina Gohil

Security researchers at ESET have identified a new banking Trojan called ‘BackSwap’ which uses “never seen before” techniques to help steal online funds.

The Slovakia-based cybersecurity company said in a blog post this week: “Instead of using complex process injection methods to monitor browsing activity, the malware hooks key window message loop events in order to inspect values of the window objects for banking activity.”

Report’s author, Michael Poslusny added: “Once banking activity is detected, the malware injects malicious JavaScript into the web page, either via the browser’s JavaScript console or directly into the address bar. All these operations are done without the user’s knowledge. This is a seemingly simple trick that nevertheless defeats advanced browser protection mechanisms against complex attacks.”

pci dss upgradeBackSwap is ultimately distributed through malicious email spam campaigns that carry an attachment of a heavily obfuscated JavaScript downloader from a malware family known as Nemucod. The spam campaigns are currently only targeting Polish users and researchers say BackSwap currently comes with support of altering five web portals of five polish banks – PKO Bank Polski, Bank Zachodni WBK S.A., mBank, ING, and Pekao.

Until this new type of malware was discovered by ESET, other banking Trojans used two main tricks to steal money from victims. Previously, the first technique relied on altering DNS and Internet settings to intercept requests for banking-related sites, to redirect the user to a clone website of the original bank site where criminals would act as a middleman and gain credentials, known as a man-in-the-middle attack.

Secondly, another current technique, involves major banking Trojans like Dridex, Ursnif, Zbot, Trickbot and Qbot which rely on injecting malicious code inside the browser’s process. Although this technique was good before, antivirus vendors have altered their applications to scan for injection attempts and have become very effective.

Due to this, BackSwap bypasses both antivirus and browser-related protections as they do not tamper with the browser process at all. BackSwap uses a native Windows mechanism named the “message loop” which BackSwap taps into to search for URL-like patterns such as “https” strings and other terms like bank names.

Content from our partners
Rethinking cloud: challenging assumptions, learning lessons
DTX Manchester welcomes leading tech talent from across the region and beyond
The hidden complexities of deploying AI in your business

Once BackSwap has detected the browser accessing and loading a bank-related website, it tries to tamper with the content. The entire attack takes under a second to execute and users would have a hard time noticing anything suspicious as it does not produce any obvious signs such as a regular browser freeze.

Constant hassle of improving antivirus software by vendors may be one of the reasons why cybercriminal groups have moved on from distributing banking Trojans which use original methods and this is most likely to rapidly increase worldwide.


Websites in our network
Select and enter your corporate email address Tech Monitor's research, insight and analysis examines the frontiers of digital transformation to help tech leaders navigate the future. Our Changelog newsletter delivers our best work to your inbox every week.
  • CIO
  • CTO
  • CISO
  • CSO
  • CFO
  • CDO
  • CEO
  • Architect Founder
  • MD
  • Director
  • Manager
  • Other
Visit our privacy policy for more information about our services, how Progressive Media Investments may use, process and share your personal data, including information on your rights in respect of your personal data and how you can unsubscribe from future marketing communications. Our services are intended for corporate subscribers and you warrant that the email address submitted is your corporate email address.