Banking malware has been decreasing in popularity for a few years because security has gotten much more stringent.
The end result is conventional banking malware fraud is becoming more complicated to pull off every day. Attackers don’t like that, so they are shifting their time and energy into developing easier-to-make and more profitable types of malware like ransomware, cryptominers, and cryptocurrency stealers.
Having said that, there is a new banking malware family that uses an innovative technique to manipulate the browser: Instead of using complex process injection methods to monitor browsing activity, the malware hooks key window message loop events in order to inspect values of the window objects for banking activity.
The malware is BackSwap and it walks away from the usual process injection for monitoring browsing activity but, rather, works with Windows GUI elements.
“This might seem trivial, but it actually is a very powerful technique that solves many ‘issues” associated with conventional browser injection,” said ESET malware researcher Michal Poslušný in a post. “First of all, the malware does not interact with the browser on the process level at all, which means that it does not require any special privileges and bypasses any third-party hardening of the browser, which usually focuses on conventional injection methods. Another advantage for the attackers is that the code does not depend either on the architecture of the browser or on its version, and one code path works for all.”
BackSwap monitors the visited URLs, looks for and detects bank-specific URLs and window titles by hooking key window message loop events.
At the moment, the malware is made to target customers of five Polish banks (PKO Bank Polski, Bank Zachodni WBK S.A., mBank, ING and Pekao), and will only steal money if the wire transfer amount is between 10,000 and 20,000 Polish zloty (i.e., $2,800 – $5,600).
The targets get infected with the malware by opening malicious attachments attached to spam email, containing the Nemucod or other downloader Trojans.