Threat Management, Malware

BackSwap banking malware bypasses browser protections with clever technique

A new banking malware called BackSwap has replaced tricky conventional browser injections with a simpler browser manipulation technique that can URLs for banking activity by hooking key window message loop events.

A May 25 blog post from ESET states that company researchers first spotted BackSwap (aka Win32/BackSwap.A) on March 13, and since then the Windows-based malware has been undergoing nearly daily modifications, while also triggering a large spike in detections, 

So far, BackSwap appears to have targeted the customers of five Polish banks: PKO Bank Polski, Bank Zachodni WBK S.A., mBank, ING and Pekao. Ultimately, the malware secretly replaces legitimate bank account numbers with a malicious one so that victims unknowingly initiate fund transfers to criminals instead of themselves.

In its blog post, ESET explains that bad actors sometimes struggle designing malware that steals money via the internet banking interface, if it requires direct interaction with the browser process. This is because injections are commonly intercepted by security solutions, malicious modules must match the bitness of the browser, and the malware in some cases can have difficulty finding and hooking browser-specific functions that send and receive HTTP requests.

BackSwap's method, however, eliminates these issues, avoiding the need for special privileges and bypassing third-party browser protections and countermeasures. "The malware monitors the URL currently being visited by installing event hooks for a specific range of relevant events available through the Windows message loop, such as EVENT_OBJECT_FOCUS, EVENT_OBJECT_SELECTION, EVENT_OBJECT_NAMECHANGE and a few others," explains malware researcher and blog post author Michal Poslusny. "The hook will look for URL patterns by searching the objects for strings starting with “https” retrieved by calling the get_accValue method from the event'sIAccessible interface."

If BackSwap finds a bank-specific URL or window title in the browser, it knows a wire transfer is imminent, at which point the malware loads malicious JavaScript specifically crafted for the particular bank in question into the browser. Older samples insert its malicious scripts into the clipboard and then paste it into the developer's console, while newer samples execute scripts directly from the address bar using JavaScript protocol URLs.

"Win32/BackSwap.A shows us that in the ongoing battle between the security industry and authors of banking malware, new malicious techniques do not necessarily need to be highly sophisticated to be effective," writes blog post author and ESET malware researcher Michal Poslusny. "We think that, as browsers become better protected from conventional code injection, malware authors will attack the browsers in different fashions and Win32/BackSwap.A might have just shown us one of the possibilities."

Bradley Barth

As director of multimedia content strategy at CyberRisk Alliance, Bradley Barth develops content for online conferences, webcasts, podcasts video/multimedia projects — often serving as moderator or host. For nearly six years, he wrote and reported for SC Media as deputy editor and, before that, senior reporter. He was previously a program executive with the tech-focused PR firm Voxus. Past journalistic experience includes stints as business editor at Executive Technology, a staff writer at New York Sportscene and a freelance journalist covering travel and entertainment. In his spare time, Bradley also writes screenplays.

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.