BackSwap Banking Trojan Bypasses Browser Protection

Delaware, USA – May 29, 2018 – Researchers from ESET discovered BackSwap banking trojan, which uses entirely new techniques to steal money. So far, this malware targeted only a few banks in Poland, but other bankers can weaponize these methods shortly. Unlike most other banking trojans, BackSwap does not use DNS hijacking or web inject techniques, and its activities are difficult to detect. The first attacks were recorded in mid-March, for 2,5 months malware has experienced several significant improvements. Attackers conduct spam campaigns sending Nemucod downloader as a malicious attachment that downloads a modified version of software from attackers’ server and executes it. Each campaign abuses different software, it is known about 7Zip, FileZilla Server, WinRAR Uninstaller and several other apps. Adversaries modify applications to jump to the malicious code during their initialization. BackSwap uses Windows GUI elements to track active URLs and page names in the browser to determine when the victim is ready to make a money transfer. At the appropriate time, malware injects script into the browser. To do this, it exploits Javascript protocol in the browser and hides traces of its actions. Almost all modern browsers are affected by this attack. Then malicious Javascript checks the amount sent (threat actors are interested in payments between $2,800 – $5,600 ) and replaces the recipient’s account number at the moment of sending money.

Built-in browsers protection can’t cope with abusing the Javascript protocol, and the exploiting of known legitimate software for delivery allows malware to deceive antivirus tools. To detect activities of BackSwap or other malware using advanced techniques, you can leverage your SIEM with APT Framework, which uses statistical profiling and behavioral analysis techniques to uncover suspicious activity.