Based in silicon valley, california, security brief is a blog by chris louie. his posts discuss current information security affairs

Backswap: the Next Generation of Banking Trojans

Backswap: the Next Generation of Banking Trojans

browser exploits.png

When a reporter asked bank robber Willie Sutton why he robbed banks, he accurately stated “Because that’s where the money is!” That quote was as true for Sutton in the 1950’s as it is today for cyber criminals. The modern cyber criminal is looking to make money in any way they can with minimal effort including, but not limited to, stealing and selling identities and credit card numbers, ransomware, cryptojacking, carding, premium SMS scams, business e-mail compromise, clipboard hijacking for cryptocurrency address replacement, and bank account takeover. At the end of 2017 and beginning of 2018, there was a noticeable decline in new ransomware attack campaigns and a rise in cryptojacking campaigns. Ransomware campaigns suffered from the disadvantage that many users would simply forgo their data instead of paying the ransom. Cryptojacking could be instantly monetized as soon as the endpoint was infected: it was where the money was. Now that web browsers and security software is getting better at detecting and blocking cryptojacking, cybercriminals are resorting back to bank account takeover.

shifty hacker.png

 

Traditional banking trojans like Zeus, Dridex, and Spyeye declined in popularity by cybercriminals when security software and browser developers increasingly detected and blocked them. Not to be beaten, cybercriminals have escalated their efforts in the arms race again banks and security vendors. This is where Backswap comes in, a next generation banking trojan. The first stage of the attack is launched with a spam campaign leading users to download a malicious file which infects and partially overwrites a piece of legitimate software on a victim’s machine such as 7Zip, WinRAR, or FileZilla. The malware copies itself into the Windows startup folder to obtain persistence.

online banking.jpg

 

Traditional banking trojans faced difficulties that required more time, resources, and development work. Browsers were available in 32 and 64-bit versions, effective doubling the development time, different browsers were gaining in popularity so malware was needed for IE, Edge, Chrome, Firefox, and Safari, and browsers and AV software were becoming more sophisticated at detecting and blocking process injection. Backswap utilizes simulated user input to run malicious code which makes it platform, version, bit-ness, and browser agnostic. 

bank vault.jpg

 

Using the Windows' accessibility interface, the malware monitors users’ activities in the background watching for URL events which match known patterns. Backswap then looks for bank-specific URLs and keywords in the browser that indicate that the victim is about to make a wire transfer. Backswap then loads the malicious JavaScript for the corresponding bank from its resources and injects it into the browser. The injection occurs in the browser’s developer console or in the address bar of a new tab. Javascript can be run natively in most browsers by using the javascript: command in the address bar, but for security reasons, most browsers block the ability to paste contents into the address bar that start with "javascript:". Backswap simulates a user typing in "javascript:" character-by-character before pasting the attack code. The process is run in an invisible tab or developer’s console, so the user is unaware that anything has happened. Backswap’s developers have thought of ways to defeat many common countermeasures and are continuing to update their code in response to challenges by the security industry. 

piggy bank.jpg

 

As long as there is money to be made with banking trojans, cybercriminals will continue to develop them until an easier method of monetization is discovered. The cleverness of Backswap’s evasion techniques demonstrates that process monitoring, application whitelisting, and traditional browser security are not enough and easily defeated. Old fashioned security controls such as requiring multiple parties to approve bank transfers, time delays, requiring a human phone call to approve money transfers are all effective, but not foolproof methods to prevent bank fraud. Utilizing a sandbox will also prevent stage one of the attack which infects an application on the host machine. Utilizing a security proxy will also detect and block when malicious JavaScript is used even when AV software and browser security do not catch it.

Post Quantum Cryptography: Moore's Law on Steroids

Post Quantum Cryptography: Moore's Law on Steroids

Next Level Phishing - Attacking Digital Assistants Amazon's Alexa and Google Home

Next Level Phishing - Attacking Digital Assistants Amazon's Alexa and Google Home