{ "id": "cb856fe8-33a2-4e52-bc38-bea3087d924f", "created_at": "2026-04-06T00:14:58.415504Z", "updated_at": "2026-04-10T03:35:21.519956Z", "deleted_at": null, "sha1_hash": "15ae424fff7890c344f7ca53a80d521e123eea67", "title": "Backswap malware analysis", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 547131, "plain_text": "Backswap malware analysis\r\nArchived: 2026-04-05 13:01:54 UTC\r\nBackswap is a banker, which we first observed around March 2018. It’s a variant of old,\r\nwell-known malware TinBa (which stands for “tiny banker”). As the name suggests, it’s\r\nmain characteristic is small size (very often in the 10-50kB range). In the summary, we\r\npresent reasoning for assuming it’s the same malware.\r\nWe were writing about TinBa in 2015, since then, it was using various techniques:\r\nDGA for communication with C\u0026C\r\nForm grabbing to steal users credentials\r\ninjecting in different processes\r\nYou can read more about those variants here:\r\nhttps://labsblog.f-secure.com/2016/01/18/analyzing-tinba-configuration-data/\r\nhttps://www.zscaler.com/blogs/research/look-recent-tinba-banking-trojan-variant\r\nhttps://securityintelligence.com/tinba-malware-reloaded-and-attacking-banks-around-the-world/\r\nThere are multiple versions of Backswap. We are going to focus on the newer samples, and\r\ntheir commons parts for readability purposes. Malware targets mostly Polish banks,\r\nsometimes cryptocurrency wallets. It swaps the account number of the money transfer\r\nrecipient using injected JavaScript code. You can find few years old source code.\r\nFeatures:\r\ncan run from arbitrary address in the process memory\r\nresolves import table, using simple hashes of functions names\r\nswaps the contents of the clipboard, when bank/cryptocurrency account number is\r\nfound\r\ninjects WebInjects, replacing bank numbers and stealing credentials\r\nMalware recognize its attack targets using ‘*’ as a wildcard:\r\nhttps://*ingbank.pl*mojeing*transactions\r\nhttps://*ipko.pl*transactions/transfers*\r\nhttps://*mbank.pl*transfer*\r\nhttps://www.cert.pl/en/news/single/backswap-malware-analysis/\r\nPage 1 of 13\n\nhttps://*pekaobiznes24.pl/webcorpo/index_.jsp*\r\nhttps://*advcash.com*bitcoin*\r\nSometimes substring search is used:\r\n/wallet/#/login\r\nbtc-invoicing.wmtransfer.com\r\n24.pl/centrum24-web/ThirdPartyTransfer\r\nmojeing/app/#home/start\r\nipko.pl/secure/ikd3/index.html#home\r\nonline.mbank.pl/pl#\r\nMTNotPredefinedAccount.htm\r\nwex.nz/profile#funds\r\ntransactions/transfers\r\nTechnical analysis\r\nWe can retrieve many information just from reading the source code. It can be helpful for\r\nrevealing general behaviour. Unfortunately, due to large amount of varieties and the fact that\r\nthe source code is pretty old, it’s not enough to understand how the newer samples operate.\r\n1. Position Independent\r\nBackswap very often hides in another program. List of executables used for this purpose\r\ninvolve programs like 7zip, ollydbg, dbgview. For what we know, it’s not a stealth technique\r\nin a sense that it’s purpose is to not alarm the user. We assume it’s used just to misdirect the\r\nheuristics of antivirus software. Execution of Backswap starts thanks to additional entry\r\nadded to the initterm table. Table that is used for the initialization of the C++ enviroment.\r\nIn order to be executed, Backswap code is copied into different area of memory.\r\nTo make the malware work in such conditions, it must be able to run from any place in\r\nmemory, this feature is called Position Independent Code(PIC). In short, it means that all of\r\nthe offsets are calculated relatively.\r\nBackswap accomplishes that by this distinctive combination of instructions:\r\nhttps://www.cert.pl/en/news/single/backswap-malware-analysis/\r\nPage 2 of 13\n\nAbove instructions calculate the offset relative to the 0x401000 address. Then this value is\r\nadded to every jump or any instruction involving memory access.\r\nOne specific thing we faced during analysis was technique called ‘call-over-string’. The idea\r\nis to store strings inside the code and make calls over the strings. This results in a string\r\naddress pushed on the stack, while execution continues. It saves space and makes writing\r\nPosition Independent Code easier. This technique is tricky for disassemblers to get right. IDA\r\nPro is not able to automatically disassemble it correctly.\r\nIn the automatically generated IDA code, we can see that instructions following the\r\ncall are disassembled before the ones pointed by call destination. This is incorrect and\r\nhave to be adjusted manually\r\nAfter manual adjustments, we can see how the code should look like\r\nhttps://www.cert.pl/en/news/single/backswap-malware-analysis/\r\nPage 3 of 13\n\n2. Windows API\r\nDue to Backswap being Position Independent and fully self-contained, it does not know\r\nwhere Windows libraries are loaded. It does that by itself. First step in that process is to find\r\nkernel32.dll library. TIB/PEB are used to do exactly that.\r\nTIB:30h -\u003e PEB\r\nPEB+0x0c -\u003e InInitializationOrderModuleList\r\nInInitializationOrderModuleList+0x1c -\u003e InInitializationOrderModuleList:Flink\r\nInInitializationOrderModuleList:Flink+0x8 -\u003e BaseAddress\r\nRemaining libraries are loaded with function LoadLibraryA exported from the library\r\nmentioned above.\r\nBackswap loads functions from libraries by comparing simple hash of the name of the\r\nfunction with table of hashes stored inside the binary. Algorithm expressed in Python:\r\ndef tinba_hash(name):\r\nh = 0\r\nhttps://www.cert.pl/en/news/single/backswap-malware-analysis/\r\nPage 4 of 13\n\nfor c in name:\r\nh = (ord(c) + 7 * h) \u0026 0xffffffff\r\nreturn h\r\nLoaded libraries\r\nkernel32.dll\r\nshell32.dll\r\nuser32.dll\r\nOLEACC.dll\r\nntdll.dll\r\nOle32.dll\r\nOleAut32.dll\r\nwininet.dll\r\n3. Harmful activity\r\nBackswap carries out multiple harmful activities. Big ones are: injecting Webinjects and\r\nstealing credentials. Supported browsers involve Internet Explorer, Mozilla Firefox, Google\r\nChrome. Some variants also swap the contents of the clipboard when bank/cryptocurrency\r\naccount number is found.\r\nWebInjects\r\nWebInjects are injected with rather innovative method, successfuly avoiding antivirus\r\nheuristics.\r\nCode to be injected is stored inside .rsrc section of the PE file. Content is xored with a\r\nconstant value, most of the time with 0x8. It’s achieved with a series of xors instead of single\r\nxor. In the newer samples we observed different constants, and the xoring code modified a\r\nbit.\r\nhttps://www.cert.pl/en/news/single/backswap-malware-analysis/\r\nPage 5 of 13\n\nBackswap uses keyboard shortcuts for injection. Whole process looks as follows:\r\nIn case of Mozilla Firefox: disable protection from pasting code inside JavaScript\r\nconsole, it’s achieved with the following command: /V:ON /C dir /S/B/A-D\r\n“%APPDATA%\\Mozilla\\prefs.js” \u003e “%TEMP%\\edit” \u0026\u0026 SETLOCAL\r\nEnableDelayedExpansion \u0026\u0026 set /p v=\u003c“%TEMP%\\edit” \u0026\u0026 echo\r\n^user_pref(“devtools.selfxss.count”, 100); \u003e\u003e “!v!”\r\nGet WebInjects from .rsrc section\r\nInsert WebInject into clipboard. In the first frame you can see SetClipboardData.aspx)\r\nfunction, used for that purpose\r\nhttps://www.cert.pl/en/news/single/backswap-malware-analysis/\r\nPage 6 of 13\n\nHide browser window. To perform this operation, first GetWindowLong.aspx) is\r\ncalled to get GWL_EXSTYLE – extended window styles. Those are extended with\r\nattribute WS_EX_LAYERED(or eax, 80000h), and set on the window with\r\nSetWindowLong.aspx) This results in window being transparent, not visible to the\r\nuser\r\nhttps://www.cert.pl/en/news/single/backswap-malware-analysis/\r\nPage 7 of 13\n\nSend CTRL+SHIT+J keyboard combination to the browser process for Internet\r\nExplorer/Google Chrome, and CTRL+SHIFT+K for Firefox. This results in\r\ndeveloper console popping up. SendInput.aspx) is used\r\nIn a very similar fashion, malware sends CTRL+V, then ENTER\r\nhttps://www.cert.pl/en/news/single/backswap-malware-analysis/\r\nPage 8 of 13\n\nFinally, console is closed with the same keyboard shortcuts. Transparency of the\r\nwindow is turned off\r\nNewer samples changed injecting technique a bit. Steps involve:\r\nSending CTRL+L to the browser window with SendInput function\r\nhttps://www.cert.pl/en/news/single/backswap-malware-analysis/\r\nPage 9 of 13\n\nTyping javascript: string, character by character, using SendMessage with argument\r\nWM_CHAR in a loop\r\nStealing credentials\r\nSome of the samples steal credentials in a very interesting fashion. With the help of\r\nSetWinEventHook.aspx) following events are hooked:\r\nEVENT_OBJECT_FOCUS\r\nEVENT_OBJECT_SELECTION\r\nEVENT_OBJECT_SELECTIONADD\r\nEVENT_OBJECT_SELECTIONREMOVE\r\nEVENT_OBJECT_SELECTIONWITHIN\r\nEVENT_OBJECT_STATECHANGE\r\nEVENT_OBJECT_LOCATIONCHANGE\r\nEVENT_OBJECT_NAMECHANGE\r\nEVENT_OBJECT_DESCRIPTIONCHANGE\r\nEVENT_OBJECT_VALUECHANGE\r\nConfigured callback function for those events saves window title text to the log file located\r\nin %TEMP%/\u003cnazwa\u003e.log. Example names involve dero, niko, gobi, abc.\r\nhttps://www.cert.pl/en/news/single/backswap-malware-analysis/\r\nPage 10 of 13\n\nIn the same time, WebInjects put the credentials into browser window title. Background\r\nthread periodically sends log file contents to the C\u0026C server.\r\nSome of the WebInjects involved in the process are presented below.\r\nvar changetitle=function(what,data)\r\n{\r\ntry\r\n{\r\nif (document.title.indexOf(what)==-1)\r\n{\r\ndocument.title=document.title+what+data;\r\n}\r\n}catch(e){}\r\nreturn true;\r\n};\r\n[...]\r\nvar sum=document.querySelector('input[class*=\"f-amount ui-ipko-input\"]').value.replace(',','.').replace(' ','');\r\nvar bal=parseFloat(sum)*1;\r\n[...]\r\nif (bal\u003e0) {changetitle('-z:',bal);}\r\n[...]\r\nchangetitle('-n:', grabname());\r\n[...]\r\nif (login \u0026\u0026 pass) { changetitle(mtitle,'-lp:',login+'__'+pass); }\r\nhttps://www.cert.pl/en/news/single/backswap-malware-analysis/\r\nPage 11 of 13\n\nSome of the older C\u0026C used:\r\nhervormdegemeentegrootammers.nl/docs/tron.php\r\nefg-uebach-palenberg.de/web_33/includes/o.php\r\ndebasuin.nl/test/php/loop.php\r\nwww.vitamunda.nl/wp-test/ok.php\r\nmecrob.cc/bot/gate.php\r\nThose are mostly websites with legit services, which means that they have been\r\ncompromised.\r\nSamples that does not contain C\u0026C server, are using URL suggesting that authors are\r\ncounting number of infections http://counter.yadro.ru/hit?\r\nrhttp://sexy.com/;uhttp://sexy.com/;h.\r\nSummary\r\nBackswap and TinBa are very alike. They share: call $+5; pop ebx instructions for Position\r\nIndependent Code, functions for reconstructing Windows API table, storing WebInjects\r\ninside .rsrc xored with constant key, call-over-string and strings contained in the sample.\r\nChrome_WidgetWin_1\r\nMozillaWindowClass\r\nTabThumbnailWindow\r\nMain difference is in the harmful activity performed by the malware.\r\nYARA Rules\r\nrule tinba\r\n{\r\nmeta:\r\nauthor = \"psrok/des\"\r\nmodule = \"tinba\"\r\nstrings:\r\n$api_routine = { B8 07 00 00 00 F7 ?? 8B ?? 0F B6 ?? 03 ?? 47 80 ?? ?? 75 EC }\r\nhttps://www.cert.pl/en/news/single/backswap-malware-analysis/\r\nPage 12 of 13\n\n$api_loadlib = { E4 5A 57 5A }\r\n$api_getmodulehandle = { 27 D4 2B C0 }\r\n$rcxor = { 80 74 01 FF 08\r\n80 74 01 FF 07\r\n80 74 01 FF 06 }\r\n$str1 = \"RespectMyAuthority\"\r\n$str2 = \"MozillaWindowClass\"\r\n$get_urls_to_inject = { 50 FF [1-5] 8D 83 [4] FF D0 85 C0 74 [1] E8 }\r\ncondition:\r\nall of ($api*) or ( ( all of ($str*) or $get_urls_to_inject ) and $rcxor )\r\n}\r\nHashes\r\n3f86fe2c77e5f2dabda5f99ef8c41d88a732bfed2ad02933c55c49177b7565f6 - sample\r\nopening developer console\r\nd55a6993abe6ef5b3c047ed46036236caab9ad2e60774e72ce498f454c45128f -\r\nsample typing \"javascript:\" in the address bar\r\nOther analyses\r\nhttps://www.welivesecurity.com/2018/05/25/backswap-malware-empty-bank-accounts/\r\nSource: https://www.cert.pl/en/news/single/backswap-malware-analysis/\r\nhttps://www.cert.pl/en/news/single/backswap-malware-analysis/\r\nPage 13 of 13\n\nmodule strings: = \"tinba\" \n$api_routine = { B8 07 00 00 00 F7 ?? 8B ?? 0F B6 ?? 03 ?? 47 80 ?? ?? 75 EC }\n Page 12 of 13", "extraction_quality": 1, "language": "EN", "sources": [ "ETDA", "Malpedia" ], "references": [ "https://www.cert.pl/en/news/single/backswap-malware-analysis/" ], "report_names": [ "backswap-malware-analysis" ], "threat_actors": [ { "id": "2864e40a-f233-4618-ac61-b03760a41cbb", "created_at": "2023-12-01T02:02:34.272108Z", "updated_at": "2026-04-10T02:00:04.97558Z", "deleted_at": null, "main_name": "WildCard", "aliases": [], "source_name": "ETDA:WildCard", "tools": [ "RustDown", "SysJoker" ], "source_id": "ETDA", "reports": null }, { "id": "256a6a2d-e8a2-4497-b399-628a7fad4b3e", "created_at": "2023-11-30T02:00:07.299845Z", "updated_at": "2026-04-10T02:00:03.484788Z", "deleted_at": null, "main_name": "WildCard", "aliases": [], "source_name": "MISPGALAXY:WildCard", "tools": [], "source_id": "MISPGALAXY", "reports": null } ], "ts_created_at": 1775434498, "ts_updated_at": 1775792121, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/15ae424fff7890c344f7ca53a80d521e123eea67.pdf", "text": "https://archive.orkl.eu/15ae424fff7890c344f7ca53a80d521e123eea67.txt", "img": "https://archive.orkl.eu/15ae424fff7890c344f7ca53a80d521e123eea67.jpg" } }