The research lab of ESET, a leading proactive threat detection company, recently discovered a new family of banking malware that uses a technique Innovative to manipulate the browser, causing bank transactions to be sent to the attackers ‘ accounts without the user’s suspicion.
In January 2018 the group was identified for the first time behind this banking malware by propagating its first projects; Being one of them a malware that stole Criptomonedas replacing the address of the wallets in the Clipboard. The group focused on clipboard malware for a few months, until it finally introduced the first version of banking malware.
It is characterized by manipulating the system simulating the action of a user. The malware does not interact at any point with the browser at the processor level, therefore, does not require special privileges and cancels any strengthening of the browser by third parties; That usually focus on conventional injection methods. Another advantage for attackers is that the code does not depend on either the browser architecture or its version, and that a single code pattern works for all browsers.
Once identified, the banker implements a specific script for each bank, as each banking site is different and presents a different source code. These scripts are injected into pages where the malware identifies a bank transfer startup request, such as payment of an account. The secretly injected script replaces the recipient’s account number with a different one and when the victim decides to send the bank transfer, the money will be sent instead to the attacker. Any security measure against unauthorized payments, such as double authorization factor, will not be helpful in this case because the account owner is sending the transfer voluntarily.
ESET Security Solutions Detect and block this threat as Win32/BackSwap. A Trojan. The company has also notified the affected browsers about this innovative code-injection technique.