Security researchers at ESET have identified a new banking Trojan called ‘BackSwap’ which uses “never seen before” techniques to help steal online funds.
The Slovakia-based cybersecurity company said in a blog post this week: “Instead of using complex process injection methods to monitor browsing activity, the malware hooks key window message loop events in order to inspect values of the window objects for banking activity.”
Report’s author, Michael Poslusny added: “Once banking activity is detected, the malware injects malicious JavaScript into the web page, either via the browser’s JavaScript console or directly into the address bar. All these operations are done without the user’s knowledge. This is a seemingly simple trick that nevertheless defeats advanced browser protection mechanisms against complex attacks.”
BackSwap is ultimately distributed through malicious email spam campaigns that carry an attachment of a heavily obfuscated JavaScript downloader from a malware family known as Nemucod. The spam campaigns are currently only targeting Polish users and researchers say BackSwap currently comes with support of altering five web portals of five polish banks – PKO Bank Polski, Bank Zachodni WBK S.A., mBank, ING, and Pekao.
Until this new type of malware was discovered by ESET, other banking Trojans used two main tricks to steal money from victims. Previously, the first technique relied on altering DNS and Internet settings to intercept requests for banking-related sites, to redirect the user to a clone website of the original bank site where criminals would act as a middleman and gain credentials, known as a man-in-the-middle attack.
Secondly, another current technique, involves major banking Trojans like Dridex, Ursnif, Zbot, Trickbot and Qbot which rely on injecting malicious code inside the browser’s process. Although this technique was good before, antivirus vendors have altered their applications to scan for injection attempts and have become very effective.
Due to this, BackSwap bypasses both antivirus and browser-related protections as they do not tamper with the browser process at all. BackSwap uses a native Windows mechanism named the “message loop” which BackSwap taps into to search for URL-like patterns such as “https” strings and other terms like bank names.
Once BackSwap has detected the browser accessing and loading a bank-related website, it tries to tamper with the content. The entire attack takes under a second to execute and users would have a hard time noticing anything suspicious as it does not produce any obvious signs such as a regular browser freeze.
Constant hassle of improving antivirus software by vendors may be one of the reasons why cybercriminal groups have moved on from distributing banking Trojans which use original methods and this is most likely to rapidly increase worldwide.
