BackSwap Banking Trojan

The BackSwap Banking Trojan is a threat that hijacks Web payments by transferring them to the accounts of its threat actors. This Trojan conceals all evidence of its attacks from the user, although regular monitoring of their banking records may note discrepancies related to its theft. Have anti-malware products remove BackSwap Banking Trojan immediately and scan the rest of your PC for associated issues, such as Trojans with threat-downloading capabilities.

Dumbed Down Trojans for Smarter Crimes

The relative sophistication of anti-browser-hijacking features in software is causing many threat actors to turn to developing other Trojan types, such as cryptocurrency miners like Facexworm. One group of criminals, however, continues devoting substantial time and resources to creating and updating banking Trojans and overcoming these security measures by unorthodox methods. The BackSwap Banking Trojan, as an example of their work, uses a combination of simulating the user's input and ordinary, browser activity-monitoring attacks for collecting money.

The BackSwap Banking Trojan's authors are delivering updates to the Trojan almost every day, with each victim's variant customized to various degrees, such as rotating the criminal receiving account for any misappropriated currency. Once it compromises the PC, it sets up a simple startup folder exploit for keeping itself persistent across system reboots. However, it avoids implementing traditional memory injection attacks, which would flag it in various anti-malware services.

The Trojan's payload uses transparent versions of the Windows UI elements, such as the console, and simulates manual user input into these components. Although malware analysts note that it does use hooking functions, the BackSwap Banking Trojan hooks into Windows events instead of any browser-specific functions. This strategy lets the Trojan monitor the victim's Web-browsing activity and redirect financial payments from specific bank sites, while also ignoring many security solutions that watch for other actions, such as injecting its code into a memory process, or other means of recording and modifying the browser's behavior.

The Tangential Dangers of a Wire Transfer Swap-Around

The BackSwap Banking Trojan doesn't create a visible UI of any kind and modifies any Web pages associated with its payment-hijacking attacks to eliminate any evidence of the redirection. While the threat actors are changing the list of banks that the Trojan attacks repeatedly and quickly, malware experts only identify Polish banking institutions with this campaign. The BackSwap Banking Trojan supports custom JavaScript payloads for Internet Explorer, Firefox and Chrome.

Despite being updated very frequently, the BackSwap Banking Trojan uses consistent infection strategies involving spammed e-mail messages, attachments and links. Although the threat responsible for installing this Trojan is a version of Nemucod, the campaign also has a (possibly indirect) historical connection to another Trojan downloader: Nymaim. Either of these Trojans may install additional threats without any symptoms automatically. Malware experts can encourage using anti-malware protection for uninstalling BackSwap Banking Trojan, Nemucod or Nymaim, but any victims with lost money should contact the appropriate bank for assistance as necessary.

The BackSwap Banking Trojan is limiting itself to targeting transactions between roughly two and five thousand USD in value, which indicates that its targets are, most likely, business or government employees, or other users with substantial financial assets. Underestimating the creativity of a criminal work ethic may cost Polish businesses far more than the price of paying attention to their e-mail security.