The attackers and malware coders have a focus. These persons are looking for data to steal and sell or manipulate. One area which continues to grow in popularity are trojans coded to steal the user’s banking credentials. With this area of expertise, there isn’t merely more of the banking trojans, but adding a nuance to this.
The subject malware is BackSwap. Historically this has been successful in compromising targets. The updated version has been targeting Polish users and banks. At this junction, the primary targets have been users at PKO BP (Bank Polski), mBank, and ING.
The prior version, while exemplary in its own right, utilized a complex process involving injection methods. The malware kept track of browsing activities. Banking malware, historically, used to inject itself into the browser’s process address space. The next step would be for the malware to hook itself into the browser-specific function. At this point the malware would modify the traffic.
Naturally, the malware was detected and the signature was placed within the AV. This lowered its overall impact on the targets, in that there were fewer successful attacks and compromises. The improved version implemented a simple method to bypass the browser detection. This version began to be used and noted in the wild in March 2018. This malware curiously was also being revised nearly daily.
The malware looks for when the user is connecting to a bank’s website. The malware uses a specific script for each bank’s website. The recent malware version has been coded to initiate a wire transfer request from the target’s account. To make the theft less obvious and to ease processing, the attackers insert their account number in the form. As this is processed, the funds are wired out to the attacker’s bank account. As this is processed, the funds are wired out to the attacker’s bank account. As this appears the target is sending the money and there is not a hint this is not voluntary, this bypasses any additional authentication. The amounts stolen have varied from $10K-$20k (approximately $2,800-$5,600).
To avoid issues much like this, there needs to be training for the users focus on awareness, and the point of they don’t have to click on everything. The user being aware of potential phishing attacks is better able to recognize these and not become a victim.
Arghire, I. (2018, May 29). BackSwap trojan uses new browser monitoring and injection techniques. Retrieved from https://www.securityweek.com/backswap-trojan-uses-new-browser-monitoring-and-injection-techniques
Belton, M. (2018, May 30). Backswap trojan-How to remove it from infected hosts. Retrieved from https://securityboulevard.com/2018/05/backswap-trojan-how-to-remove-it-from-infected-hosts/
Cimpanu, C. (2018, May 25). BackSwap banking trojan uses never-before-seen techniques. Retrieved from https://www.bleepingcomputer.com/news/security/backswap-banking-trojan-uses-never-before-seen-techniques/
Enigma Software. (n.d.). Backswap banking trojan. Retrieved from https://www.enigmasoftware.com/backswapbankingtrojan-removal/
Zorz, Z. (2018, May 29). BackSwap trojan exploits standard browser features to empty bank accounts. Retrieved from https://www.helpnetsecurity.com/2018/05/29/backswap-trojan/
About the Author - Charles Parker, II has been working in the info sec field for over a decade, performing pen tests, vulnerability assessments, consulting with small- to medium-sized businesses to mitigate and remediate their issues, and preparing IT and info sec policies and procedures. Mr. Parker’s background includes work in the banking, medical, automotive, and staffing industries.