ESET alerts on new malware that steals money through bank transfers


The research lab of ESET, a leading proactive threat detection company, recently discovered a new family of banking malware that uses a technique Innovative to manipulate the browser, causing bank transactions to be sent to the attackers ‘ accounts without the user’s suspicion.

This banking malware uses a technique that instead of using complex process injection methods to monitor the browser’s activity, intercepts specific events in the Windows message loop, so that it can inspect the values of the Windows looking for banking activities. Once the banking activity is detected, malware injects a malicious JavaScript into the Web site. All these operations are done without the user noticing.

In January 2018 the group was identified for the first time behind this banking malware by propagating its first projects; Being one of them a malware that stole Criptomonedas replacing the address of the wallets in the Clipboard. The group focused on clipboard malware for a few months, until it finally introduced the first version of banking malware.

The banker is distributed by means of malicious spam campaigns through the mail, which contain as an attachment a JavaScript downloader, strongly obfuscated, of a family commonly known as Nemucod. According to the analyses, the campaigns of spam are directed mainly against Polish users.

It is characterized by manipulating the system simulating the action of a user. The malware does not interact at any point with the browser at the processor level, therefore, does not require special privileges and cancels any strengthening of the browser by third parties; That usually focus on conventional injection methods. Another advantage for attackers is that the code does not depend on either the browser architecture or its version, and that a single code pattern works for all browsers.

Once identified, the banker implements a specific script for each bank, as each banking site is different and presents a different source code. These scripts are injected into pages where the malware identifies a bank transfer startup request, such as payment of an account. The secretly injected script replaces the recipient’s account number with a different one and when the victim decides to send the bank transfer, the money will be sent instead to the attacker. Any security measure against unauthorized payments, such as double authorization factor, will not be helpful in this case because the account owner is sending the transfer voluntarily.

ESET Security Solutions Detect and block this threat as Win32/BackSwap. A Trojan. The company has also notified the affected browsers about this innovative code-injection technique.