Security researchers have discovered a strain of new banking malware named BackSwap that employs unique techniques to target customers and empty their bank accounts. Banking trojans typically employ complex injection methods to drop malicious code monitor browsing activity or use DNS hijacking to redirect the user to a fake, cloned website and harvest login credentials.
As antivirus software and web browser developers becoming increasingly efficient at detecting and preventing process injection attempts, many cybercriminals have shifted towards easy-to-use, more profitable malicious ware such as ransomware or cryptominers.
ESET researchers have discovered BackSwap uses a "seemingly simple trick that nevertheless defeats advanced browser protection mechanisms against complex attacks."
"The intent is not to fool users into thinking they are running the legitimate app, but rather to increase the 'stealthiness' of the malware against analysis and detection," researchers said.
Once downloaded, the malware begins its nefarious activities by copying itself into a startup folder to establish persistence and then goes ahead with its malicious banking functionality.
"The malware does not interact with the browser on the process level at all, which means that it does not require any special privileges and bypasses any third-party hardening of the browser, which usually focuses on conventional injection methods," researchers explain. "Another advantage for the attackers is that the code does not depend either on the architecture of the browser or on its version, and one code path works for all."
Instead, BackSwap taps into key Windows message loops to look for specific URL-like patterns like "https" strings and signs of banking activity like bank-specific URLs and window titles in the browser. For example, the malware injects scripts into pages that are that the victim is using to initiate a wire transfer request or pay a utility account.
This attack can be carried out against Google Chrome, Mozilla Firefox and Internet Explorer browsers - all of whom have been notified by ESET. Researchers noted the spam campaign is primarily targeting Polish banking customers with malicious scripts designed for five Polish banks - Pekao, IMG, PKO Bank Polski, Bank Zachodni WBK S.A. and mBank.
So far, the banking malware targets wire transfer amounts and payments within a certain range - between 10,000 and 20,000 PLM ($2800-$5600).
Since January, the developers behind BackSwap have been deploying other forms of malware including a cryptocurrency stealer that replaces wallet addresses in the clipboard. On March 13, the first version of the BackSwap banking malware was introduced. Since then, its developers consistently introducing new versions on a daily basis except for weekends.
ESET researchers note that BackSwap malware highlights the fact that "in the ongoing battle between the security industry and authors of banking malware, new malicious techniques do not necessarily need to be highly sophisticated to be effective."