Michal Poslusny & Peter Kalnai, ESET

When we discovered a new banking malware family that we later named BackSwap back in April 2018, we were shocked by it’s completely new approach to banking fraud, which is very different from the techniques used by conventional banking malware that have been evolving for over a decade. The conventional methods usually consist of injecting malicious module into the browser followed by hooking specific important functions of the browser in order to read and alter the browsing data. While code injection is still somewhat effective, it has many drawbacks – most importantly the injected payload needs to match the characteristics of the specific targeted browser and therefore forces the malware authors to build multiple versions of such module. In order to be able to install hooks successfully, each of these malicious modules needs to implement a specific branch of code dedicated to each browser it wants to attack. This generally means a lot of work for the malware authors and also frequent maintenance of the banking module, which is especially important when targeting the prevalent Google Chrome browser that has a very specific implementation and the malware authors tend to lose support every time it receives an update.

BackSwap is an innovative, actively developed and rapidly evolving banking Trojan written in assembly language, which suggests it is being made by a group of experienced malware developers. They came up with a new, out-of-the-box internet banking fraud approach that solves most of the listed issues with little to no effort and one could say it came naturally as a side effect. The method utilizes window events and GUI messages to deploy malicious JavaScript while visiting online banking site and the same implementation works for both x64 and x86 versions of the browser. It bypasses most mitigation techniques offered by security solutions and the operating system, as they tend to be mostly designed to protect the browser against conventional attacks. This technique also requires little to no maintenance and while BackSwap currently only targets Google Chrome, Mozilla Firefox and Internet Explorer, it can be easily applied to any browser currently available on the market. The technique could also be easily ported to other operating systems without much effort and in the future BackSwap could very well be one of the rare cases of banking malware for macOS.

In our talk we will not only provide detailed analysis of the malware itself, it’s evolution, the innovative techniques and the whole distribution chain, but thanks to our active involvement in the investigation we are also able to provide interesting details about behind the scenes of the operation – for example how the attackers hire innocent people and use them as straw men in order to retrieve the stolen money. Additionally, we will talk about our ideas for potential mitigation of such techniques, as we expect that more and more cyber criminals might eventually shift their attention to methods similar to the ones used by BackSwap.