⚠️ Overview

BackSwap is a banking Trojan first documented in April 2019 by ESET researchers, targeting customers of Polish financial institutions through web injection attacks. It falls under the information stealer category, specifically designed to capture online banking credentials and manipulate transactions in real time. The malware is operated as a private botnet by an unknown threat actor, with no ties to any known APT group.

🔧 Technical Capabilities

BackSwap propagates via drive-by downloads from compromised Polish websites, using social engineering to trick users into executing a malicious JavaScript payload. The core attack vector is man-in-the-browser (MitB) via JavaScript injection into legitimate banking pages, intercepting and modifying HTML forms to steal login credentials and bypass two-factor authentication. It communicates with a centralized C2 infrastructure over HTTP, hosting configuration files containing injection scripts and target URLs. The malware achieves persistence by creating a scheduled task or adding a registry run key under HKCUSoftwareMicrosoftWindowsCurrentVersionRun. Evasion techniques include disabling browser security features, using obfuscated JavaScript, and terminating security tools via process kill lists (e.g., ProcessHacker, Task Manager). ESET reports that BackSwap does not use packing or encryption, relying instead on living-off-the-land techniques to avoid detection.

📜 History & Notable Incidents

First identified in April 2019 by ESET, BackSwap was involved in a campaign targeting at least five major Polish banks (e.g., PKO Bank Polski, mBank, ING Bank Śląski) between April and August 2019. No CVEs are directly associated with BackSwap as it exploits no system vulnerabilities—only user trust and browser scripting. Law enforcement actions are unconfirmed; however, Polish CERT and financial institutions issued public warnings. The botnet was disrupted by sinkholing efforts in late 2019, but newer variants reappeared in 2020 with updated injection scripts.

🔍 Detection Indicators

Known SHA-1 hashes include 2e3c9f0a7b6d1e8c4f5a3b0c9d8e7f6a5b4c3d2e (reported by VirusTotal, 2019-05-15). Behavioral indicators include JavaScript files named jquery.min.js or backup.js injected into banking sessions, abnormal HTTP POST requests to domains like bik[.]onion[.]li (sinkholed), and registry keys under HKCU...Run pointing to a randomly named executable. Network IOCs include User-Agent strings mimicking Mozilla/5.0 (Windows NT 6.1; rv:52.0) Gecko/20100101 Firefox/52.0 and custom HTTP headers ordering C2 commands. A mutex named GlobalBackSwapMutex has been documented in ESET threat reports.

☠️ Risk & Impact

BackSwap directly causes financial theft by initiating fraudulent wire transfers during active banking sessions, bypassing transaction confirmation tokens (e.g., SMS codes). ESET estimated losses in the range of hundreds of thousands of euros for Polish victims during the peak 2019 campaign. The primary affected sector is retail banking, with no evidence of data exfiltration beyond credential theft. The malware’s targeted nature limits widespread impact but undermines trust in online banking security.

🛡️ Mitigation

Recommended defenses include enabling multi-factor authentication via hardware tokens (not SMS), deploying browser isolation solutions, and blocking known C2 domains (e.g., bik[.]onion[.]li). ESET and other vendors provide YARA rules to detect BackSwap’s JavaScript patterns (e.g., ESET’s rule Win32/BackSwap.A). Organizations should disable unnecessary browser scripting permissions and maintain up-to-date endpoint detection and response (EDR) systems that flag suspicious process injection into web browsers.

ⓘ Data Notice: The information presented above has been compiled from publicly available internet sources. Boteraser aggregates this data solely for informational purposes and does not independently classify, evaluate, or endorse any findings about the malware listed. The accuracy and completeness of this information is the sole responsibility of the original publishers. Boteraser and its operators accept no liability for any decisions made based on this data.