BackSwap Returns

The attackers and malware coders have a focus. These persons are looking for data to steal and sell or manipulate. One area which continues to grow in popularity are trojans coded to steal the user’s banking credentials. With this area of expertise, there isn’t merely more of the banking trojans, but adding a nuance to this.

The subject malware is BackSwap. Historically this has been successful in compromising targets. The updated version has been targeting Polish users and banks. At this junction, the primary targets have been users at PKO BP (Bank Polski), mBank, and ING.

Prior Versions

The prior version, while exemplary in its own right, utilized a complex process involving injection methods. The malware kept track of browsing activities. Banking malware, historically, used to inject itself into the browser’s process address space. The next step would be for the malware to hook itself into the browser-specific function. At this point the malware would modify the traffic.

Update

Naturally, the malware was detected and the signature was placed within the AV. This lowered its overall impact on the targets, in that there were fewer successful attacks and compromises. The improved version implemented a simple method to bypass the browser detection. This version began to be used and noted in the wild in March 2018. This malware curiously was also being revised nearly daily.

The transportation for the malware is also pertinent. For a successful campaign, the malware has to be forwarded in some manner to the targets. This path has to lull the target into clicking and downloading the malware. In this case the malware was transported to the user via an email. This process was simple, concise, and mundane. This would have not raised a red flag. The malware itself used a heavily obfuscated JavaScript downloader (Nemucod). The malware, to assist the target in deciding to open and thus install it, was delivered and labelled as an updated version of genuine, authentic apps. The malware was launched within the initialization process of the application. This was somewhat stealthy in that the user was tricked into believing they had clicked on the true app. This feature also made the malware difficult to detect in the browser and by AV.

The malware looks for when the user is connecting to a bank’s website. The malware uses a specific script for each bank’s website. The recent malware version has been coded to initiate a wire transfer request from the target’s account. To make the theft less obvious and to ease processing, the attackers insert their account number in the form. As this is processed, the funds are wired out to the attacker’s bank account. As this is processed, the funds are wired out to the attacker’s bank account. As this appears the target is sending the money and there is not a hint this is not voluntary, this bypasses any additional authentication. The amounts stolen have varied from $10K-$20k (approximately $2,800-$5,600).

To avoid issues much like this, there needs to be training for the users focus on awareness, and the point of they don’t have to click on everything. The user being aware of potential phishing attacks is better able to recognize these and not become a victim.

Resources

Arghire, I. (2018, May 29). BackSwap trojan uses new browser monitoring and injection techniques. Retrieved from https://www.securityweek.com/backswap-trojan-uses-new-browser-monitoring-and-injection-techniques

Belton, M. (2018, May 30). Backswap trojan-How to remove it from infected hosts. Retrieved from https://securityboulevard.com/2018/05/backswap-trojan-how-to-remove-it-from-infected-hosts/

Cimpanu, C. (2018, May 25). BackSwap banking trojan uses never-before-seen techniques. Retrieved from https://www.bleepingcomputer.com/news/security/backswap-banking-trojan-uses-never-before-seen-techniques/

Enigma Software. (n.d.). Backswap banking trojan. Retrieved from https://www.enigmasoftware.com/backswapbankingtrojan-removal/

Zorz, Z. (2018, May 29). BackSwap trojan exploits standard browser features to empty bank accounts. Retrieved from https://www.helpnetsecurity.com/2018/05/29/backswap-trojan/

About the Author - Charles Parker, II has been working in the info sec field for over a decade, performing pen tests, vulnerability assessments, consulting with small- to medium-sized businesses to mitigate and remediate their issues, and preparing IT and info sec policies and procedures. Mr. Parker’s background includes work in the banking, medical, automotive, and staffing industries.

Featured Posts
Posts are coming soon
Stay tuned...
Recent Posts
Archive
Search By Tags
No tags yet.
Follow Us
  • Facebook Basic Square
  • Twitter Basic Square
  • Google+ Basic Square