BackSwap malware finds innovative ways to empty bank accounts

Posted on May 25, 2018

BackSwap malware finds innovative ways to empty bank accounts

To steal money from a victim’s account via the internet banking interface, typical banking malware will inject itself or its specialized banking module into the browser’s process address space. For many reasons, this is not an easy task – first of all, as mentioned before, the injection might be intercepted by a third-party security solution. The injected module also needs to match the bitness of the browser – a 32-bit module cannot be injected into a 64-bit browser process and vice versa.

This results in banking trojans usually having to carry both versions of a given module in order to support both 32-bit and 64-bit versions of the browsers. Win32/BackSwap. A has a completely different approach.

It handles everything by working with Windows GUI elements and simulating user input. This might seem trivial, but it actually is a very powerful technique that solves many “issues” associated with conventional browser injection. First of all, the malware does not interact with the browser on the process level at all, which means that it does not require any special privileges and bypasses any third-party hardening of the browser, which usually focuses on conventional injection methods.

Another advantage for the attackers is that the code does not depend either on the architecture of the browser or on its version, and one code path works for all.