Backswap: the Next Generation of Banking Trojans
When a reporter asked bank robber Willie Sutton why he robbed banks, he accurately stated “Because that’s where the money is!” That quote was as true for Sutton in the 1950’s as it is today for cyber criminals. The modern cyber criminal is looking to make money in any way they can with minimal effort including, but not limited to, stealing and selling identities and credit card numbers, ransomware, cryptojacking, carding, premium SMS scams, business e-mail compromise, clipboard hijacking for cryptocurrency address replacement, and bank account takeover. At the end of 2017 and beginning of 2018, there was a noticeable decline in new ransomware attack campaigns and a rise in cryptojacking campaigns. Ransomware campaigns suffered from the disadvantage that many users would simply forgo their data instead of paying the ransom. Cryptojacking could be instantly monetized as soon as the endpoint was infected: it was where the money was. Now that web browsers and security software is getting better at detecting and blocking cryptojacking, cybercriminals are resorting back to bank account takeover.
Traditional banking trojans like Zeus, Dridex, and Spyeye declined in popularity by cybercriminals when security software and browser developers increasingly detected and blocked them. Not to be beaten, cybercriminals have escalated their efforts in the arms race again banks and security vendors. This is where Backswap comes in, a next generation banking trojan. The first stage of the attack is launched with a spam campaign leading users to download a malicious file which infects and partially overwrites a piece of legitimate software on a victim’s machine such as 7Zip, WinRAR, or FileZilla. The malware copies itself into the Windows startup folder to obtain persistence.
Traditional banking trojans faced difficulties that required more time, resources, and development work. Browsers were available in 32 and 64-bit versions, effective doubling the development time, different browsers were gaining in popularity so malware was needed for IE, Edge, Chrome, Firefox, and Safari, and browsers and AV software were becoming more sophisticated at detecting and blocking process injection. Backswap utilizes simulated user input to run malicious code which makes it platform, version, bit-ness, and browser agnostic.