New Banking Trojan: Tiny Tinba’s Distant Cousin BackSwap Goes After Spanish Banks


Ted McKendall

Backswap, a new banking Trojan that’s using novel techniques to facilitate the theft of online funds, is hitting both Spanish and Polish banks.

BackSwap is a relatively new banking Trojan that was first identified in March 2018 by Eset, before being analyzed by CERT Polska. Though relatively new and offering a handful of new features, it actually borrows code from Tiny Tinba, the microscopic (typically 10-50kb) malware that has been targeting European banks since 2015.

It’s unknown at this stage who is behind the malware, although the security community believes this to be the work of a criminal gang that owns the code outright, rather than an entity looking to distribute it on the dark web for wide commercial reuse.

The most interesting thing about the Trojan is its new techniques, which allow it to bypass AV software detection and other security protections at the browser level, and which enabled it to target a number of high-profile Polish banks earlier this year. Now, however, security researchers at IBM X-Force say that it is being used against six major banks in Spain.


A New Technique, in an Old Game

As the X-Force researchers say, in some respects BackSwap is “no more sophisticated” than any other active banking Trojan. But there are some areas where it stands out, notably its web injection mechanism. Instead of ‘hooking’ browser functions, and then creating different versions for each architecture, BackSwap injects JavaScript code directly into the web address bar.

By effectively mimicking a user’s input into the address bar, Backswap can execute using Javascript protocol URLs – which means it evades both the browser’s and the bank’s traditional security protection tools. Then, like many other Trojans, it changes what the user sees on the page being rendered (vs. what the bank’s web application sent) in a classic man-in-the-browser style attack.

The likely fraud attack is relatively simple; the malware’s scripts wait for the user to go to a page where a transaction is to take place. When the victim initiates activity that may be interesting to an attacker — like adding a new payee or starting a transfer — the malware replaces the destination account with a mule account number. (Mule accounts are just alternate accounts, but in this context they are accounts set up to be used for nefarious purposes.) 

BackSwap’s means of distribution are also pretty run of the mill. Most often, it’s delivered to users via phishing emails, with the Trojan concealed as an attachment of a productivity file, like a Microsoft Word document. In its original research, ESET said that the attachment would contain a “heavily obfuscated” JavaScript downloader from a malware family known as Nemucod.


How Do Banks Protect Unmanaged End Users?

The research team that discovered this malware says the techniques used here classify it as an original fraud method, and as such the research community can expect the criminal gang to be continually modifying the malware in response to researchers’ investigation of the malware. This conclusion is drawn from tiny changes found in each sample of the malware suggesting that is it being adapted, which might mean changes in its behavior or who it targets.

For banking customers, it is advised that you take extreme caution when opening email attachments as this is the most common delivery method for the malware. If you do not know or trust the source, the safest course of action is always to verify the validity before opening any attachment.

Banks with progressive anti-fraud programs are rethinking how they protect their customers (andt themselves) from digital fraud. The tide is turning to approaches that take the fight away from the user device and onto a battleground where banks have the advantage – focusing on ensuring the integrity of each transaction. It is not possible to stop all online customers from being infected with malware, but if the transaction session can be protected, the fraudulent activity can be prevented. For unmanaged endpoints, banks should focus on stopping what the malware is trying to do, rather than the futile endeavor of eradicating the malware from all customer devices.

Trusted Knight’s Protector Air does precisely that – it’s a cloud-based solution that is invisible to the end users and stops transactional fraud by ensuring the integrity of every transaction. Click the links below to find how we can help you eradicate banking trojans as an issue once and for all.

Request a Free Trial Download Whitepaper Now