BackSwap Trojan Targets Banks in Spain

Delaware, USA – August 27, 2018 – The BackSwap banking trojan switched to Spanish financial organizations. Researchers from ESET discovered this threat in March, and they published a report in which they shared the results of further monitoring of the trojan. Until recently, BackSwap operators targeted only banks in Poland, but now the trojan configured to attack six large Spanish banks. Despite the fact that the malware uses the same features as Tinba Trojan, the code is very different from Tinba’s code. This trojan is developed by the yet unknown cybercriminal gang and they spread BackSwap via spam emails and integrate it into installers of free or open source popular programs. It differs from other bankers: BackSwap injects JavaScript into the address bar instead of hooking browser functions. This technique allows malware to bypass the browser’s protection and security checks by the bank. Malware tracks when a user is about to make a money transfer and changes the beneficiary’s account number after the transfer starts.

This trojan is especially successful against users who do not use two-factor authentication. Researchers from ESET suggest that this malware this year can enter the top ten most common banking trojans, and attackers can use it in attacks against banks worldwide. SIEM can uncover this threat using Sysmon Framework and Windows Security Monitor rule packs.