LTS Secure Warning: Hackers clearing bank accounts utilizing malicious Trojan

BackSwap Malware is a newly discovered banking Trojan. This malware has an innovative technique to identify user accessed banking websites and injects malicious code into the targeted web pages.

On March 2018, the first version of the banking malware detected by ESET as Win32/BackSwap, when the hacker released clipboard malware. The hackers started using BackSwap only in March, but focused heavily on its development, releasing new versions almost daily.

Technical Details

This malicious malware distributed through malicious emails carrying obfuscated javascript downloader known as Nemucod. BackSwap is delivered as modified versions of legitimate apps, with the malicious code being launched during initialization and the original code never used again, meaning that the application doesn’t work at all.

The malware installs event hooks for a specific range of events to monitor the visited URL. It looks for bank-specific URLs and window titles in the browser to determine when the victim is getting ready to make a wire transfer. Finally, it loads the malicious JavaScript appropriate for the corresponding bank from its resources and injects it into the browser.

Older variants injected the malicious script into the clipboard, simulate opening the developer’s console for pasting the clipboard content there, execute the content of the console, and then close the console. Now, the script is executed directly from the address bar, via JavaScript protocol URLs.

Impact

The applications like TPVCGateway, SQLMon, DbgView, WinRAR Uninstaller, 7Zip, OllyDbg, and FileZilla Serve used as the target for the modification is being changed regularly.

Browsers like Google Chrome, Mozilla Firefox and in recent versions its authors also added support for the Internet Explorer.

At the moment, the malware is made to target customers of five Polish banks (PKO Bank Polski, Bank Zachodni WBK S.A., mBank, ING and Pekao), and will only steal money if the wire transfer amount is between 10,000 and 20,000 Polish zloty (i.e., $2,800 – $5,600).

Recommend Actions

As browsers become better protected form of the conventional code injection, malware authors will attack the browsers in different fashions and Win32/BackSwap.

ESET has notified the affected browser vendors regarding the innovative script injection technique.

 

ESET has released a security advisory about BackSwap Malware on May 25, 2018.