BackSwap malware finds innovative ways to empty bank accounts

Minimalist · May 25, 2018

Banking malware (also referred to as banker) has been decreasing in popularity among cybercrooks for a few years now, one of the reasons being that both anti-malware companies and web browser developers are continuously widening the scope of their protection mechanisms against banking Trojan attacks. This results in conventional banking malware fraud becoming more complicated to pull off every day, resulting in malware authors shifting their time and resources into developing easier-to-make and more profitable types of malware like ransomware, cryptominers, and cryptocurrency stealers.
Click to expand...

https://www.welivesecurity.com/2018/05/25/backswap-malware-empty-bank-accounts/

itman · May 25, 2018

Of note is Eset is the only vendor on VT that detects the Javasrcript version of the malware.

Rasheed187 · Jun 2, 2018

Minimalist said: ↑

https://www.welivesecurity.com/2018/05/25/backswap-malware-empty-bank-accounts/
Click to expand...

Interesting stuff, a banking trojan that doesn't use any code injection. The question is, can this be blocked via HIPS? In the article it's mentioned that it installs event hooks to monitor the browser. Isn't this related to global and window hooking? Also, keyboard and mouse simulation are other things that can be blocked.

guest · Aug 23, 2018

BackSwap Malware Now Targets Six Banks in Spain
August 22, 2018
https://securityintelligence.com/backswap-malware-now-targets-six-banks-in-spain/

According to X-Force analysis, BackSwap is its own malware project, but it is based on features that existed within the Tinba Trojan. The malware’s operators keep the code as their own project; in that sense, it is considered gang-owned and not commercial malware.

Overall, BackSwap is no more sophisticated than any other active banking Trojan. Its highlight is its webinjection mechanism. Instead of using the more common method of hooking browser functions, then creating different versions for each architecture, BackSwap injects JavaScript into the address bar.

In terms of what BackSwap does with the injections, this is where the novelty ends. Just as malware such as Zeus has been doing for over a decade, BackSwap uses malicious scripts to modify what victims see on their bank’s website in classic man-in-the-browser (MitB) style: [...]
Click to expand...

Log in or Sign up

BackSwap malware finds innovative ways to empty bank accounts

Minimalist Registered Member

itman Registered Member

Rasheed187 Registered Member

guest Guest

Log in or Sign up

BackSwap malware finds innovative ways to empty bank accounts

Minimalist Registered Member

itman Registered Member

Rasheed187 Registered Member

guest Guest

Useful Searches