BackSwap Trojan uses a never seen before techniques to steal money from customers instead of complex code injection methods.
“We have discovered a new banking malware family that uses an innovative technique to manipulate the browser: instead of using complex process injection methods to monitor browsing activity, the malware hooks key window message loop events in order to inspect values of the window objects for banking activity.”
The BackSwap Trojan uses three new techniques which don’t tamper with the browser processes.
The first technique used to detect when the user is accessing a bank related website, the BackSwap uses windows mechanism named the ‘message loop’ which is an obligatory part of the code in every program which uses graphical interface in Microsoft Windows.
“The malware monitors the URL currently being visited by installing event hooks for a specific range of relevant events available through the Windows message loop, such as EVENT_OBJECT_FOCUS, EVENT_OBJECT_SELECTION, EVENT_OBJECT_NAMECHANGE and a few others. The hook will look for URL patterns by searching the objects for strings starting with “https” retrieved by calling the get_accValue method from the event’s IAccessible interface.” said in the report published by ESET
The malware looks into the Windows message loop for bank-specific URLs or any terms that are related to the banking website.
Once detected the malware uses one of the below techniques to load the malicious script to the corresponding bank from its resources.
In the first technique, the malware inserts the malicious script into the clipboard and simulates pressing the key combination for opening the developer’s console (CTRL+SHIFT+J in Google Chrome, CTRL+SHIFT+K in Mozilla Firefox).
After that, the malware simulates CTRL+V, which pastes the content of the clipboard and then sends ENTER to execute the contents of the console.
The malware then sends the console key combination again to close the console, and the browser window is made invisible during this process. As it takes only under a second to execute the entire attack user might find hard to find whether something went wrong.
The latest version of BackSwap malware supports the attack against Mozilla Firefox, Google Chrome, and Internet Explorer.
Researchers also said that the current version of BackSwap Trojan has the malicious script to target only five polish banks which are PKO Bank Polski, Bank Zachodni WBK S.A., mBank, ING and Pekao.