In the survival guide for million-dollar cyberattacks that we published in 2017, we warned how dangerous banking Trojans can be, and highlighted them as one of the key trends in financial cybercrime, along with phishing and keyloggers. Banking Trojans steal their victim’s online identity and use this information to trick financial institutions and steal money from their accounts. Generally this is done by installing applications or inserting malicious code into the browsers from which users access their bank accounts.
But over the last few years, it seems that the level of banking Trojan activity has decreased considerably. On the one hand, institutions have reacted to the threat by considerably improving their security and their customers’ authentication factors; one example of this is the implementation of virtual keyboards for user sign-in.  This way, it is not possible for a cyberattacker to use a keylogger to steal the details that the user enters with a physical keyboard.
On the other hand, developers have implemented barriers and mechanisms to make injecting code into browsers more complex. For this reason, as we have been pointing out for some time, cyberattackers have been focusing their efforts on other kinds of attacks that are simpler and more profitable, such as ransomware or cryptojacking.
However, in the last few weeks, banking Trojans have started to gain momentum once again, using new, alternative techniques, rather than infiltrating browsers directly. This is the case with BackSwap, a new banking Trojan that has managed to infiltrate several Spanish banks, and which could pose a serious threat to other companies, especially if it comes into contact with employees who work closely with banking institutions. But how does BackSwap work?
BackSwap and its new techniques
BackSwap is an improved and updated variant of the malware Tinba, which was developed in 2015. This malware was noteworthy because of its small size (between 10 and 50Kb) and its capacity to steal the user’s credentials. As ESET researchers discovered, there is one key difference between BackSwap and its predecessor and other banking Trojans, which inject malicious code such as Zbot, Gozi or Dridex. The difference lies in its methodology, which circumvents browsers’ barriers, and can be more difficult for less modern cybersecurity solutions. There are three new techniques that BackSwap uses:
- It detects when the user is accessing a banking institution online via a mechanism native to Windows called “Message loop”: BackSwap clicks on the Windows message loop to search for patterns similar to a URL, such as “https” chains and other terms related to the name of a bank.
- Once it detects that the browser is accessing and loading a banking website, BackSwap proceeds to manipulate the loaded content, but does not inject code directly into the browser. Rather, it simulates a user’s keystrokes, and copies the code to the clipboard, then pastes it to the developer’s console. All of this is done in a way that is invisible to the user.
- Finally, an alternative method – and one that it seems to use more frequently than the previous technique – is to simulate pushing keys in the browser’s address bar: it simulates writing a JavaScript string, pastes the malicious code, and virtually presses enter in order to execute the code. Again, none of this is visible on the user’s screen, and nor does it leave any traces in the history.
How can we prevent it?
As is the case with other banking Trojans such as Trickbot, which we previously analyzed, the main attack vector for BackSwap is email. It is mainly spread via spam containing malicious files such as attached Word documents into which the malware is inserted. Once the file has been executed, it stays on the machine, waiting for the victim to access a banking-related website.
For this reason, the first line of continuous prevention should be employee caution about suspicious emails containing attachments. This is especially true of employees such as CFOs and members of the administration or accounting teams, whose role involves having a close working relationship with financial institutions. It is important to remember that the subject “Invoice” was the cause of 6 out of 10 of the most effective phishing campaigns in 2018.
Likewise, it is a very good idea to have advanced cybersecurity solutions with 360º monitoring, such as Panda Adaptive Defense. On one hand, it performs a complete scan of all emails and attachments in real time as soon as they enter the inbox. On the other hand, it constantly monitors employees’ website use, detecting any suspicious activity in their computers’ browsers. Advanced solutions like Adaptive Defense mean that the negative impact of banking Trojans as complex as BackSwap are reduced to the minimum.