Trojan Leverages Browser for Attack

Tuesday, May 29, 2018 @ 06:05 PM gHale

Banking malware has been decreasing in popularity for a few years because security has gotten much more stringent.

The end result is conventional banking malware fraud is becoming more complicated to pull off every day. Attackers don’t like that, so they are shifting their time and energy into developing easier-to-make and more profitable types of malware like ransomware, cryptominers, and cryptocurrency stealers.

RELATED STORIES
Trojan With a Different Approach
Inside Attack at Coca-Cola
Staggering Cost for Insider Threats
OPC Details Vulnerability Findings

Having said that, there is a new banking malware family that uses an innovative technique to manipulate the browser: Instead of using complex process injection methods to monitor browsing activity, the malware hooks key window message loop events in order to inspect values of the window objects for banking activity.

The malware is BackSwap and it walks away from the usual process injection for monitoring browsing activity but, rather, works with Windows GUI elements.

“This might seem trivial, but it actually is a very powerful technique that solves many ‘issues” associated with conventional browser injection,” said ESET malware researcher Michal Poslušný in a post. “First of all, the malware does not interact with the browser on the process level at all, which means that it does not require any special privileges and bypasses any third-party hardening of the browser, which usually focuses on conventional injection methods. Another advantage for the attackers is that the code does not depend either on the architecture of the browser or on its version, and one code path works for all.”

BackSwap monitors the visited URLs, looks for and detects bank-specific URLs and window titles by hooking key window message loop events.

“Once banking activity is detected, the malware injects malicious JavaScript into the web page, either via the browser’s JavaScript console or directly into the address bar,” Poslušný said. “All these operations are done without the user’s knowledge. This is a seemingly simple trick that nevertheless defeats advanced browser protection mechanisms against complex attacks.”

Finally, the injected JavaScript replaces the recipient’s bank account number with the number of an account opened by the attackers or their mules. If the user doesn’t notice the switch and authorizes the transaction, the attack is successful.

At the moment, the malware is made to target customers of five Polish banks (PKO Bank Polski, Bank Zachodni WBK S.A., mBank, ING and Pekao), and will only steal money if the wire transfer amount is between 10,000 and 20,000 Polish zloty (i.e., $2,800 – $5,600).

The targets get infected with the malware by opening malicious attachments attached to spam email, containing the Nemucod or other downloader Trojans.



Leave a Reply

You must be logged in to post a comment.