Security researchers at ESET have identified a new banking Trojan called ‘BackSwap’ which uses “never seen before” techniques to help steal online funds.
The Slovakia-based cybersecurity company said in a blog post this week: “Instead of using complex process injection methods to monitor browsing activity, the malware hooks key window message loop events in order to inspect values of the window objects for banking activity.”
Until this new type of malware was discovered by ESET, other banking Trojans used two main tricks to steal money from victims. Previously, the first technique relied on altering DNS and Internet settings to intercept requests for banking-related sites, to redirect the user to a clone website of the original bank site where criminals would act as a middleman and gain credentials, known as a man-in-the-middle attack.
Secondly, another current technique, involves major banking Trojans like Dridex, Ursnif, Zbot, Trickbot and Qbot which rely on injecting malicious code inside the browser’s process. Although this technique was good before, antivirus vendors have altered their applications to scan for injection attempts and have become very effective.
Due to this, BackSwap bypasses both antivirus and browser-related protections as they do not tamper with the browser process at all. BackSwap uses a native Windows mechanism named the “message loop” which BackSwap taps into to search for URL-like patterns such as “https” strings and other terms like bank names.
Once BackSwap has detected the browser accessing and loading a bank-related website, it tries to tamper with the content. The entire attack takes under a second to execute and users would have a hard time noticing anything suspicious as it does not produce any obvious signs such as a regular browser freeze.
Constant hassle of improving antivirus software by vendors may be one of the reasons why cybercriminal groups have moved on from distributing banking Trojans which use original methods and this is most likely to rapidly increase worldwide.