BackSwap is a banking trojan discovered by ESET researchers targeting Polish banks. It is capable of bypassing antivirus software and browser level security protections. While all other banking trojans use two main techniques - altered DNS and internet settings, and injecting malicious code inside the browsers process - the malware uses new techniques never before observed. The first technique utilizes a Windows mechanism called message loop, a section of code in every program that has a graphical user interface in Microsoft Windows. BackSwap uses the message loop feature to search for URL-like patterns and strings related to a bank's name in order to detect when a user is accessing banking-related websites. If this is detected, the malware will use one of two different techniques to carry out its malicious activity. The earlier versions of BackSwap make the browser invisible and insert a malicious script into the clipboard. The malware will simulate pressings of specific keys that open the developer’s console and paste the contents of the clipboard there. Once pasted, the malicious code is executed and alters the banking portal's code in order to give the attacker the ability to control what the victim sees. Newer versions of Backswap take advantage of the “javascript:” protocol in supported browsers. The malware will type the string “javascript:” one character at a time to avoid XSS protections, and then paste malicious JavaScript code after the string and execute the code.

Technical Details:

  • ESET provides technical analysis of BackSwap, here.

Image Source: Bleeping Computer