{
	"id": "2da58a2c-6bca-4fae-abed-074d8a0abc66",
	"created_at": "2026-04-06T00:15:16.854701Z",
	"updated_at": "2026-04-10T13:12:07.868038Z",
	"deleted_at": null,
	"sha1_hash": "171d314630505f257e686736b0ab6d1ac89447fb",
	"title": "BackSwap Banking Trojan Uses Never-Before-Seen Techniques",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 579714,
	"plain_text": "BackSwap Banking Trojan Uses Never-Before-Seen Techniques\r\nBy Catalin Cimpanu\r\nPublished: 2018-05-25 · Archived: 2026-04-05 22:41:14 UTC\r\nSecurity researchers have discovered a new banking trojan named BackSwap that uses never-before-seen techniques to\r\nfacilitate the theft of online funds.\r\nThe techniques the trojan uses have not been observed with another malware family, and they can bypass antivirus software\r\ndetection and security protections put in place at the browser level.\r\nExperts believe these techniques will soon be copied by other groups and spread around to trigger a new wave of banking\r\ntrojan attacks right when infections with this malware type have begun to go down.\r\nhttps://www.bleepingcomputer.com/news/security/backswap-banking-trojan-uses-never-before-seen-techniques/\r\nPage 1 of 5\n\n0:00\r\nhttps://www.bleepingcomputer.com/news/security/backswap-banking-trojan-uses-never-before-seen-techniques/\r\nPage 2 of 5\n\nVisit Advertiser websiteGO TO PAGE\r\nPrevious techniques used by banking trojans\r\nUntil now, all previous banking trojans used two main tricks to steal money from victims. The first technique, now rarely\r\nused, relied on altering local DNS and Internet settings by intercepting requests for banking-related sites and redirecting the\r\nuser via a proxy to a clone website of the original banking portal, where crooks would collect login credentials and act as a\r\nmiddleman between the user and the bank.\r\nThe second technique, currently the go-to solution for all major banking trojans like Dridex, Ursnif, Zbot, Trickbot, Qbot,\r\nand others, relied on injecting malicious code inside the browser's process.\r\nThis technique was efficient in the beginning, but antivirus vendors have modified their apps to scan for process injection\r\nattempts, and have become quite good at detecting these events.\r\nBrowser vendors have similarly modified their software to prevent banking trojans from easily tapping into the browser's\r\ninternal functions that allow trojans to meddle with a page's content.\r\nNowadays, the process injection technique is more of a headache for banking trojan makers, as they have to review and\r\nmodify their injection code after every browser update because browser vendors always change something that breaks the\r\nattackers' previous code.\r\nThis constant hassle and improved AV protection are, maybe, one of the reasons why many cybercriminal groups have\r\nmoved from distributing banking trojans to new types of malware such as in-browser miners, coinminers, ransomware, and\r\nothers.\r\nBackSwap uses Windows UI-related code to detect visited sites\r\nBut in a report published today, ESET revealed it discovered the BackSwap trojan, which came with three new techniques\r\nthat are completely different from all previous trojans.\r\nFurthermore, these techniques bypass both AV and browser-related protections because they don't tamper with the browser\r\nprocess at all.\r\nThe first technique BackSwap deploys is a technique used for detecting when the user is accessing a banking-related\r\nwebsite. According to ESET, BackSwap uses a native Windows mechanism named the \"message loop.\"\r\nAccording to Wikipedia, \"the message loop is an obligatory section of code in every program that uses a graphical user\r\ninterface under Microsoft Windows.\" Browsers are GUI apps, meaning they also use message loops.\r\nBackSwap simply taps into the Windows message loop to search for URL-like patterns, such as \"https\" strings and other\r\nterms related to a bank's name.\r\nBackSwap abuses a browser's developer console\r\nOnce it detects the browser is accessing and loading a banking-related website, BackSwap uses one of two techniques to\r\ntamper with the loaded content. For both techniques, the trojan doesn't inject code inside the browser's process but merely\r\nsimulates key presses.\r\nInitial versions of the BackSwap trojan used the following method to alter what users are seeing inside web pages.\r\n1) The malware inserts the malicious script into the clipboard.\r\n2) Malware makes browser window invisible.\r\n3) BackSwap simulates pressing the key combination for opening the developer’s console (CTRL+SHIFT+J in Google\r\nChrome, CTRL+SHIFT+K in Mozilla Firefox).\r\n4) BackSwap simulates CTRL+V to paste the content of the clipboard inside the browser's developer console.\r\n5) Trojan simulates an ENTER key press to execute the malicious code.\r\n6) Malicious code alters the banking portal's code to give the attacker control of what the user sees.\r\nhttps://www.bleepingcomputer.com/news/security/backswap-banking-trojan-uses-never-before-seen-techniques/\r\nPage 3 of 5\n\n7) The malware sends the console key combination again to close the console.\r\n8) BackSwap makes browser window visible again.\r\nThis entire attack takes under a second to execute, and users will have a hard time noticing that something went wrong or\r\neven distinguishing it from a regular browser freeze.\r\nBackSwap abuses \"javascript:\" protocol\r\nBut despite its simplicity, the BackSwap crew seems to have abandoned this first technique, and moved to a new one, which\r\ninteracts with the browser's address bar.\r\n1) The malware simply simulates pressing CTRL+L to select the browser's address bar.\r\n2) BackSwap simulates DELETE key to clear the URL field.\r\n3) The malware \"types\" in the address bar the string \"javascript:\" one letter at a time. The code is typed one letter at a time to\r\ncircumvent browser self-XSS protections.\r\n4) Malware pastes its malicious JavaScript code after the \"javascript:\" string.\r\n5) Browser simulates an ENTER key press to execute the code.\r\n6) Trojan clears the address bar to remove any signs of compromise.\r\nESET says BackSwap supports attacks against Google Chrome, Mozilla Firefox and Internet Explorer, but with little\r\ntweaks, the techniques should work against all browsers, since all modern browsers today support a developer console and\r\nthe \"javascript:\" protocol.\r\nBackSwap currently targets Polish banks only\r\nBackSwap's techniques are incredibly easy to execute, and don't necessarily rely on high-level knowledge of the Windows\r\nOS to implement, like previous banking trojan attacks.\r\nWhile they're bound to spread to other banking trojan families in the upcoming future, at the moment, this trojan is not a\r\nglobal threat. Researchers say that current versions of BackSwap come with support for altering the web portals of only five\r\nPolish banks —PKO Bank Polski, Bank Zachodni WBK S.A., mBank, ING, and Pekao.\r\nNonetheless, ESET said it notified browser vendors about BackSwap's new techniques in the hopes they'd deploy\r\ncountermeasures in upcoming browser versions, and mitigate these types of attacks before they go mainstream with other\r\nmalware families.\r\nhttps://www.bleepingcomputer.com/news/security/backswap-banking-trojan-uses-never-before-seen-techniques/\r\nPage 4 of 5\n\nAutomated Pentesting Covers Only 1 of 6 Surfaces.\r\nAutomated pentesting proves the path exists. BAS proves whether your controls stop it. Most teams run one without the\r\nother.\r\nThis whitepaper maps six validation surfaces, shows where coverage ends, and provides practitioners with three diagnostic\r\nquestions for any tool evaluation.\r\nSource: https://www.bleepingcomputer.com/news/security/backswap-banking-trojan-uses-never-before-seen-techniques/\r\nhttps://www.bleepingcomputer.com/news/security/backswap-banking-trojan-uses-never-before-seen-techniques/\r\nPage 5 of 5",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"MITRE"
	],
	"origins": [
		"web"
	],
	"references": [
		"https://www.bleepingcomputer.com/news/security/backswap-banking-trojan-uses-never-before-seen-techniques/"
	],
	"report_names": [
		"backswap-banking-trojan-uses-never-before-seen-techniques"
	],
	"threat_actors": [],
	"ts_created_at": 1775434516,
	"ts_updated_at": 1775826727,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/171d314630505f257e686736b0ab6d1ac89447fb.pdf",
		"text": "https://archive.orkl.eu/171d314630505f257e686736b0ab6d1ac89447fb.txt",
		"img": "https://archive.orkl.eu/171d314630505f257e686736b0ab6d1ac89447fb.jpg"
	}
}