The techniques the trojan uses have not been observed with another malware family, and they can bypass antivirus software detection and security protections put in place at the browser level.
The go-to solution for all major banking trojans like Dridex, Ursnif, Zbot, Trickbot, Qbot, and others, relied on injecting malicious code inside the browsers process. This technique was efficient in the beginning, but antivirus vendors have modified their apps to scan for process injection attempts, and have become quite good at detecting these events.
At present, the process injection technique is more of a headache for banking trojan makers, as they have to review and modify their injection code after every browser update because browser vendors always change something that breaks the attackers previous code.
BackSwap comes came with three new techniques that are completely different from all previous Trojans. The banking Trojan uses Windows UI-related code to detect visited sites, abuses a browsers developer console and the javascript: protocol. Furthermore, these techniques bypass both AV and browser-related protections because they dont tamper with the browser process at all.
While theyre bound to spread to other banking trojan families in the upcoming future, at the moment, this trojan is not a global threat. Researchers say that current versions of BackSwap come with support for altering the web portals of only five Polish banks —PKO Bank Polski, Bank Zachodni WBK, mBank, ING, and Pekao.
Every day we send out a free e-mail with the most important headlines of the last 24 hours.
Subscribe now