Connect with us

Hi, what are you looking for?


Malware & Threats

BackSwap Trojan Uses New Browser Monitoring and Injection Techniques

A newly discovered banking Trojan uses innovative techniques to detect when a bank’s website is accessed and to inject malicious code into targeted pages, ESET warns.

A newly discovered banking Trojan uses innovative techniques to detect when a bank’s website is accessed and to inject malicious code into targeted pages, ESET warns.

Dubbed BackSwap, the malware no longer relies on complex process injection methods to keep track of browsing activity, but hooks key window message loop events instead.

“This is a seemingly simple trick that nevertheless defeats advanced browser protection mechanisms against complex attacks,” the security firm explains.

ESET has been tracking the actor behind this Trojan since January 2018, when they were employing clipboard malware. The hackers started using BackSwap only in March but focused heavily on its development, releasing new versions almost daily.

To distribute the malware, the actor uses malicious emails carrying a heavily obfuscated JavaScript downloader known as Nemucod. Mainly targeting Polish users, BackSwap was often found on machines also infected with Nymaim, but a strong connection between the two malware families is yet unclear.

BackSwap is delivered as modified versions of legitimate apps, with the malicious code being launched during initialization and the original code never used again, meaning that the application doesn’t work at all (as would be the case with Trojanized software).

This shows a focus on increasing stealth instead of tricking the user into believing they are running the legitimate app and also makes the malware more difficult to spot. The Trojan immediately copies itself into the startup folder to ensure persistence, and then proceeds with its nefarious functionality.

Advertisement. Scroll to continue reading.

Unlike typical banking malware that injects itself into the browser’s process address space, then hooks browser-specific functions to start modifying traffic, BackSwap only works with Windows GUI elements and simulates user input.

The malware installs event hooks for a specific range of events to monitor the visited URL. It then looks for bank-specific URLs and window titles in the browser to determine when the victim is getting ready to make a wire transfer. Finally, it loads the malicious JavaScript appropriate for the corresponding bank from its resources and injects it into the browser.

Older variants injected the malicious script into the clipboard, simulate opening the developer’s console to pasting the clipboard content there, execute the content of the console, and then close the console. Now, the script is executed directly from the address bar, via JavaScript protocol URLs.

The malware can target Chrome, Firefox, and Internet Explorer (in most recent versions), but the method should work on most browsers today, as long as they have a JavaScript console available or support execution of JavaScript from the address bar, ESET reveals.

A specific script is used for each targeted bank and injected into pages the malware identifies as initiating a wire transfer request. The script replaces the recipient’s bank account number with a different one, which results in money being sent to the attacker’s account instead.

“Any safeguards against unauthorized payment, such as 2-factor authorization, won’t help in this case, as the account owner is willingly sending the wire transfer,” ESET explains.

BackSwap has targeted five Polish banks in the past (PKO Bank Polski, Bank Zachodni WBK S.A., mBank, ING and Pekao), but recent variants only target three (PKO BP, mBank and ING).

Older versions relied on command and control (C&C) servers hosted on hacked WordPress websites to retrieve the fraudulent bank account numbers, but recent variants store these account numbers directly in the malicious scripts (the account numbers change often, the researchers say).

The Trojan only steals money if the wire transfer amount is in the 10,000 – 20,000 PLN range (around $2,800 – $5,600) USD.

Related: Hackers Steal ‘$15.3 Million’ From Mexico Financial System

Related: Millions Stolen From Russian, Indian Banks in SWIFT Attacks

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

SecurityWeek’s Threat Detection and Incident Response Summit brings together security practitioners from around the world to share war stories on breaches, APT attacks and threat intelligence.


Securityweek’s CISO Forum will address issues and challenges that are top of mind for today’s security leaders and what the future looks like as chief defenders of the enterprise.


Expert Insights

Related Content


The changing nature of what we still generally call ransomware will continue through 2023, driven by three primary conditions.


A recently disclosed vBulletin vulnerability, which had a zero-day status for roughly two days last week, was exploited in a hacker attack targeting the...


No one combatting cybercrime knows everything, but everyone in the battle has some intelligence to contribute to the larger knowledge base.

Malware & Threats

Threat actors are increasingly abusing Microsoft OneNote documents to deliver malware in both targeted and spray-and-pray campaigns.

Malware & Threats

Unpatched and unprotected VMware ESXi servers worldwide have been targeted in a ransomware attack exploiting a vulnerability patched in 2021.

Malware & Threats

A vulnerability affecting IBM’s Aspera Faspex file transfer solution, tracked as CVE-2022-47986, has been exploited in attacks.


The recent ransomware attack targeting Rackspace was conducted by a cybercrime group named Play using a new exploitation method, the cloud company revealed this...

Application Security

Virtualization technology giant VMware on Tuesday shipped urgent updates to fix a trio of security problems in multiple software products, including a virtual machine...