- The first sample of the BackSwap malware was detected in March 2018.
- The first version did not contain any anti-analysis or anti-debugging techniques.
The BackSwap trojan, which was first detected in March 2018, has evolved with unique and innovative techniques. The trojan now comes with enhanced capabilities and can pilfer money from victims, while remaining undetected.
The first sample of the BackSwap malware was the simplest form of all versions. It did not contain any anti-analysis or anti-debugging techniques and hence this made it easy to infer the samples that were used to target banks in Poland.
“These samples almost did not contain any measures to complicate the analysis of the payload, which was inserted as-is to the original program (Mostly 7-Zip but also WinGraph and SQLMon). For this reason, a lot of the malware’s strings, including targeted banks and browsers, were all visible. Hence, it was possible to infer that the targeted banks were all Polish and each sample inspected was targeting between 1 and 3 banks,” said Itay Cohen, a security researcher at CheckPoint in the analysis report.
By the end of April, the malware was further enhanced to encrypt its resources. It started using single-byte XOR key for encrypting.
In the month of May 2018, BackSwap began tracking the number of infected machines. This was done by sending an HTTP request to yadro.ru, a popular Russian site that keeps a track of hits on a website.
June 2018 was a crucial month for the BackSwap malware authors. The threat actors behind the trojan introduced a unique technique of encoding the payloads. They took the advantage of the BMP header - also known as a bitmap - to make the code look simple and not malicious.
The shift in its target in August 2018 marked the turning point of BackSwap trojan. The malware totally abandoned the previously targeted Polish banks and started focusing its malicious operation on Spanish banks. In addition, the malware authors also changed the way it conducted the web-injection.
“Instead of keeping it in different resources for each targeted bank, as it did before, it aggregated all of them into a single resource, such that each web-inject code snippet was delimited by a particular separator keyword,” said Cohen.
CheckPoint research describes the evolution of BackSwap trojan is the “evidence that this monetization model is not dead yet. Hence, users should be cautious when downloading software from unauthorized sources, as the malware is capable of bypassing security measures by pretending as a legitimate application. It is highly recommended to download software from the sites with authorized distributors.