Security researchers have discovered a new banking trojan named BackSwap that uses never-before-seen techniques to facilitate the theft of online funds.
The techniques the trojan uses have not been observed with another malware family, and they can bypass antivirus software detection and security protections put in place at the browser level.
Experts believe these techniques will soon be copied by other groups and spread around to trigger a new wave of banking trojan attacks right when infections with this malware type have begun to go down.
Until now, all previous banking trojans used two main tricks to steal money from victims. The first technique, now rarely used, relied on altering local DNS and Internet settings by intercepting requests for banking-related sites and redirecting the user via a proxy to a clone website of the original banking portal, where crooks would collect login credentials and act as a middleman between the user and the bank.
The second technique, currently the go-to solution for all major banking trojans like Dridex, Ursnif, Zbot, Trickbot, Qbot, and others, relied on injecting malicious code inside the browser's process.
This technique was efficient in the beginning, but antivirus vendors have modified their apps to scan for process injection attempts, and have become quite good at detecting these events.
Browser vendors have similarly modified their software to prevent banking trojans from easily tapping into the browser's internal functions that allow trojans to meddle with a page's content.
Nowadays, the process injection technique is more of a headache for banking trojan makers, as they have to review and modify their injection code after every browser update because browser vendors always change something that breaks the attackers' previous code.
This constant hassle and improved AV protection are, maybe, one of the reasons why many cybercriminal groups have moved from distributing banking trojans to new types of malware such as in-browser miners, coinminers, ransomware, and others.
But in a report published today, ESET revealed it discovered the BackSwap trojan, which came with three new techniques that are completely different from all previous trojans.
Furthermore, these techniques bypass both AV and browser-related protections because they don't tamper with the browser process at all.
The first technique BackSwap deploys is a technique used for detecting when the user is accessing a banking-related website. According to ESET, BackSwap uses a native Windows mechanism named the "message loop."
According to Wikipedia, "the message loop is an obligatory section of code in every program that uses a graphical user interface under Microsoft Windows." Browsers are GUI apps, meaning they also use message loops.
BackSwap simply taps into the Windows message loop to search for URL-like patterns, such as "https" strings and other terms related to a bank's name.
Once it detects the browser is accessing and loading a banking-related website, BackSwap uses one of two techniques to tamper with the loaded content. For both techniques, the trojan doesn't inject code inside the browser's process but merely simulates key presses.
Initial versions of the BackSwap trojan used the following method to alter what users are seeing inside web pages.
This entire attack takes under a second to execute, and users will have a hard time noticing that something went wrong or even distinguishing it from a regular browser freeze.
But despite its simplicity, the BackSwap crew seems to have abandoned this first technique, and moved to a new one, which interacts with the browser's address bar.
BackSwap's techniques are incredibly easy to execute, and don't necessarily rely on high-level knowledge of the Windows OS to implement, like previous banking trojan attacks.
While they're bound to spread to other banking trojan families in the upcoming future, at the moment, this trojan is not a global threat. Researchers say that current versions of BackSwap come with support for altering the web portals of only five Polish banks —PKO Bank Polski, Bank Zachodni WBK S.A., mBank, ING, and Pekao.
Nonetheless, ESET said it notified browser vendors about BackSwap's new techniques in the hopes they'd deploy countermeasures in upcoming browser versions, and mitigate these types of attacks before they go mainstream with other malware families.