Once again "Faktura elektroniczna z firmy TNT Express": The spam was a banking Trojan attacking Polish banks customers

Two days ago, ie on May 23, we announced a new spam campaign containing a suspicious attachment with a message impersonating the courier company TNT Express. A malicious attachment was the BackSwap banking Trojan, which was analyzed in the Eset company. Hazard analysts from the Krakow laboratory have discovered that the banking Trojan modifies account numbers in Internet transfers of the five largest Polish banks (mBank, ING Bank Śląski, BZ WBK, PKO BP, Pekao SA).

The threat, as already mentioned, is distributed via a false message with an alleged invoice:

BackSwap banking Trojan spam

The operation of the banking Trojan consists in constant monitoring of the user's behavior in the web browser. When BackSwap detects that the victim opens the bank's website, he checks to see if he is on the list of goals defined by the cybercriminals. If this is the case, it performs a malicious script (either to the console in the browser or directly to the address bar visible in the browser window). When the bank's client performs a transfer for an amount greater than PLN 10,000, the script unnoticeably changes the account number and the money goes directly to the cybercriminal.

- comments Paweł Śmierciak from ESET.

Initially, BackSwap in its operation was similar to another banking Trojan detected in April by CERT Polska . The author or authors of the Trojan have previously experimented with the theft of cryptocurrency portfolios. Later, they switched to bank accounts, constantly improving the technique of stealing money. The recently added function checked the amount of transfers - the Trojan attacked only if the transfer was executed for at least PLN 10,000.

BackSwap banking Trojan analysis

BackSwap banking Trojan: How to protect your finances?

First of all, we recommend caution when opening suspicious attachments. If you use the Eset anti-virus software, we have prepared a guide for you, thanks to which in a few steps you will increase the protection of your computers. Unfortunately, the Eset software does not have all the important security features enabled, which is why we encourage you to read this article .

The other users are requested to run an on-line antivirus scanner by Eset . The threat has already been added to the manufacturer's virus database, and a quick scan has not hurt anyone yet.

Several checksums of Trojan samples:

9BC4C1D5403DDD90712CE87225490A21D1EDC516 JS / Nemucod.EAN trojan
CF5A74C268661501156663F74CD5E20603B0F261 Win32 / BackSwap.A trojan
6251F9AD0E5F551AC4A6B918EF366E86C4CCFDC4 Win32 / BackSwap.A trojan
2DC9760A7C6E9D261C73EFB7B2604840734BC058 Win32 / BackSwap.A trojan
A68901D0D8C1247FF280F9453E3AE45687C57566 Win32 / BackSwap.A trojan (JavaScript)

Add new comment

The content of this field is kept private and will not be shown publicly.

Learn more about our offer

If you sell security solutions, are a distributor, authorized partner or developer and would like to share your portfolio with a group of potential customers, advertise an event, software, hardware or other services on AVLab - simply write to us. Or maybe you had to deal with ransomware? We can also help you decrypt your files.
Read more

We use Google Cloud Translation and Gengo API’s to translate articles with exception of our comparative tests.