In the following analysis, we explain BankSwap’s actual fraud action and the user experience during a transaction session.
Figures 2 and 3 illustrate how legitimate elements are hidden from the user by with malicious content.
As shown in Figure 4, the code is injected in the format of IIFE, “Immediately Invoked Function Expression.” This has the advantage of staying out of global scope, hence making it harder to find its variables and functions after its invocation.
The “mainStart” function is in charge of hiding the original 26-character IBAN with the account owner’s name. It’s executed every 50 seconds with a setInterval.
The process of duplicating legitimate inputs begins with the method “cloneNode” that copies the nodes to be cloned with the entire element hierarchy. This process happens twice; the first time for the IBAN of the consignee, and the second time for the full name and address of the consignee.
An important and crucial part of creating the fake DOM elements involves removing some eminent attributes, such as names, from the visible cloned fake elements. Those elements’ IDs are modified to a random string (some samples we examined had hardcoded strings).
Eventually, all these DOM modifications guarantee that the original data intended to be sent by the victim is not sent.
After the execution mention above, via a listener of “cut” and “copy”, BackSwap has access to ClipboardEvent.clipboardData property via this original programmatic technique.
While accessing this property, BackSwap’s authors change the tab’s title with information gathered from this malicious transaction. The format is a type of key-value that is typically a short string and most often, just one letter. The key and value are separated by a colon. It includes the amount (“_kwota”), the real username ("nav-user__region-name"), and the mule owner’s name (“myname”).
BackSwap maintains its fraud actions in the PE resource section. We gathered several old and new samples of the malware and noticed interesting cosmetic changes between them. For example, the target names have been changed. We assume this might be because of the immediate validation of a target list by researchers. Figures 7 and 8 show the resource section with visible target lists.
In addition, fraudster-related IBAN information is handled differently. In the older samples, the IBAN was found in plain text in the injected script.
In newer versions, the IBAN is passed through a switch case function.
Fraudster IBAN handling is passed through a function named ‘dede(str)’. In return, the dede function utilizes a For loop, which passes the string content into chars, dealing with them separately on a switch case to create the fraudster-related IBAN.
BackSwap’s manipulation of the DOM elements by duplicating the original input fields during a legitimate user interaction with a banking website is an original fraud method. Not many malware authors choose this path of originality. In addition, the authors appear to be continually modifying the malware in response to researchers’ investigations of the malware. In almost every sample we tested, we noticed new, small changes. We expect future changes in the malware, either in its behavior or its target list.
To avoid being infected by this malware, users should simply not open suspicious links or files received by an active spam campaign. BackSwap hides as a legitimate running application such as 7zip or OllyDbg, which are applications not commonly run by typical users.