​BackSwap banking trojan evolves to steal money from victims without being detected

• The first sample of the BackSwap malware was detected in March 2018.
• The first version did not contain any anti-analysis or anti-debugging techniques.

The BackSwap trojan, which was first detected in March 2018, has evolved with unique and innovative techniques. The trojan now comes with enhanced capabilities and can pilfer money from victims, while remaining undetected.

The first sample of the BackSwap malware was the simplest form of all versions. It did not contain any anti-analysis or anti-debugging techniques and hence this made it easy to infer the samples that were used to target banks in Poland.

“These samples almost did not contain any measures to complicate the analysis of the payload, which was inserted as-is to the original program (Mostly 7-Zip but also WinGraph and SQLMon). For this reason, a lot of the malware’s strings, including targeted banks and browsers, were all visible. Hence, it was possible to infer that the targeted banks were all Polish and each sample inspected was targeting between 1 and 3 banks,” said Itay Cohen, a security researcher at CheckPoint in the analysis report.

In the mid-April, the banking trojan was found creating fake input fields in the Document Object Model (DOM) of the targeted websites. These fake fields looked identical to the original fields and tricked victims into thinking that they are filling in the real fields. This new version of malware also relied on injecting the malicious JavaScript code directly into the URL address bar for stealing the financial information.

By the end of April, the malware was further enhanced to encrypt its resources. It started using single-byte XOR key for encrypting.

“Apart from the change in XOR key, the authors also moved the IBAN to be hardcoded in the web-injects javascript, as opposed to the binary where it previously resided. This persisted through most of the samples in May, where some had additional names appended, which most likely correspond to money mules that participated in the operation,” Cohen explained.

In the month of May 2018, BackSwap began tracking the number of infected machines. This was done by sending an HTTP request to yadro.ru, a popular Russian site that keeps a track of hits on a website.

June 2018 was a crucial month for the BackSwap malware authors. The threat actors behind the trojan introduced a unique technique of encoding the payloads. They took the advantage of the BMP header - also known as a bitmap - to make the code look simple and not malicious.

The shift in its target in August 2018 marked the turning point of BackSwap trojan. The malware totally abandoned the previously targeted Polish banks and started focusing its malicious operation on Spanish banks. In addition, the malware authors also changed the way it conducted the web-injection.

“Instead of keeping it in different resources for each targeted bank, as it did before, it aggregated all of them into a single resource, such that each web-inject code snippet was delimited by a particular separator keyword,” said Cohen.

The variants have shown no major changes from September through November, except for few modifications in the PIC payload, encryption layers and JavaScript web-injection mode.

CheckPoint research describes the evolution of BackSwap trojan is the “evidence that this monetization model is not dead yet. Hence, users should be cautious when downloading software from unauthorized sources, as the malware is capable of bypassing security measures by pretending as a legitimate application. It is highly recommended to download software from the sites with authorized distributors.