A new banking malware called BackSwap has replaced tricky conventional browser injections with a simpler browser manipulation technique that can URLs for banking activity by hooking key window message loop events.
A May 25 blog post from ESET states that company researchers first spotted BackSwap (aka Win32/BackSwap.A) on March 13, and since then the Windows-based malware has been undergoing nearly daily modifications, while also triggering a large spike in detections,
So far, BackSwap appears to have targeted the customers of five Polish banks: PKO Bank Polski, Bank Zachodni WBK S.A., mBank, ING and Pekao. Ultimately, the malware secretly replaces legitimate bank account numbers with a malicious one so that victims unknowingly initiate fund transfers to criminals instead of themselves.
In its blog post, ESET explains that bad actors sometimes struggle designing malware that steals money via the internet banking interface, if it requires direct interaction with the browser process. This is because injections are commonly intercepted by security solutions, malicious modules must match the bitness of the browser, and the malware in some cases can have difficulty finding and hooking browser-specific functions that send and receive HTTP requests.
BackSwap's method, however, eliminates these issues, avoiding the need for special privileges and bypassing third-party browser protections and countermeasures. "The malware monitors the URL currently being visited by installing event hooks for a specific range of relevant events available through the Windows message loop, such as EVENT_OBJECT_FOCUS, EVENT_OBJECT_SELECTION, EVENT_OBJECT_NAMECHANGE and a few others," explains malware researcher and blog post author Michal Poslusny. "The hook will look for URL patterns by searching the objects for strings starting with “https” retrieved by calling the get_accValue method from the event'sIAccessible interface."
If BackSwap finds a bank-specific URL or window title in the browser, it knows a wire transfer is imminent, at which point the malware loads malicious JavaScript specifically crafted for the particular bank in question into the browser. Older samples insert its malicious scripts into the clipboard and then paste it into the developer's console, while newer samples execute scripts directly from the address bar using JavaScript protocol URLs.
"Win32/BackSwap.A shows us that in the ongoing battle between the security industry and authors of banking malware, new malicious techniques do not necessarily need to be highly sophisticated to be effective," writes blog post author and ESET malware researcher Michal Poslusny. "We think that, as browsers become better protected from conventional code injection, malware authors will attack the browsers in different fashions and Win32/BackSwap.A might have just shown us one of the possibilities."
