In the following analysis, we explain BackSwap’s actual fraud action and the user experience during a transaction session.
Figure 1: Fake input fields hidden from users
Figures 2 and 3 illustrate how legitimate elements are hidden from the user by with malicious content.
Figure 2: BackSwap hiding legitimate elements with malicious content
Figure 3. BackSwap revealing hidden input fields
As shown in Figure 4, the code is injected in the format of IIFE, “Immediately Invoked Function Expression.” This has the advantage of staying out of global scope, hence making it harder to find its variables and functions after its invocation.
The “mainStart” function is in charge of hiding the original 26-character IBAN with the account owner’s name. It’s executed every 50 seconds with a setInterval.
The process of duplicating legitimate inputs begins with the method “cloneNode” that copies the nodes to be cloned with the entire element hierarchy. This process happens twice; the first time for the IBAN of the consignee, and the second time for the full name and address of the consignee.
Figure 5. BackSwap mainStart function
An important and crucial part of creating the fake DOM elements involves removing some eminent attributes, such as names, from the visible cloned fake elements. Those elements’ IDs are modified to a random string (some samples we examined had hardcoded strings).
Eventually, all these DOM modifications guarantee that the original data intended to be sent by the victim is not sent.
Figure 6. BackSwap fake elements modifications
Figure 7. “Cut” or “copy” events with document.execCommand
After the execution mention above, via a listener of “cut” and “copy”, BackSwap has access to ClipboardEvent.clipboardData property via this original programmatic technique.
Figure 8. BackSwap clipboard manipulation and example of what the user sees
While accessing this property, BackSwap’s authors change the tab’s title with information gathered from this malicious transaction. The format is a type of key-value that is typically a short string and most often, just one letter. The key and value are separated by a colon. It includes the amount (“_kwota”), the real username ("nav-user__region-name"), and the mule owner’s name (“myname”).
Figure 9. BackSwap Tab Title change
Resource and Script Changes
BackSwap maintains its fraud actions in the PE resource section. We gathered several old and new samples of the malware and noticed interesting cosmetic changes between them. For example, the target names have been changed. We assume this might be because of the immediate validation of a target list by researchers. Figures 7 and 8 show the resource section with visible target lists.
Figure 10. Older version of BackSwap showing resource section with visible target list
Figure 11. BackSwap resource section with un-meaningful target list names
In addition, fraudster-related IBAN information is handled differently. In the older samples, the IBAN was found in plain text in the injected script.
Figure 12. IBAN handling in BackSwap old version: IBAN is shown in clear text
In newer versions, the IBAN is passed through a switch case function.
Figure 13. IBAN handling in BackSwap new version: IBAN is hidden
Fraudster IBAN handling is passed through a function named ‘dede(str)’. In return, the dede function utilizes a For loop, which passes the string content into chars, dealing with them separately on a switch case to create the fraudster-related IBAN.
Figure 14. BackSwap switch case function
BackSwap’s manipulation of the DOM elements by duplicating the original input fields during a legitimate user interaction with a banking website is an original fraud method. Not many malware authors choose this path of originality. In addition, the authors appear to be continually modifying the malware in response to researchers’ investigations of the malware. In almost every sample we tested, we noticed new, small changes. We expect future changes in the malware, either in its behavior or its target list.
To avoid being infected by this malware, users should simply not open suspicious links or files received by an active spam campaign. BackSwap hides as a legitimate running application such as 7zip or OllyDbg, which are applications not commonly run by typical users.
Working at F5 for 5 years, Doron handles and analyzes cyber threat investigations for most of the major banking malware families in recent years. Doron holds a Bachelor of Science focused in Computer Science.