Skip to content
July 18, 2026
  • Linkedin
  • Twitter
  • Facebook
  • Youtube

Daily CyberSecurity

Zero-hour alerts. Unmatched analysis.

Primary Menu
  • Home
  • CVE Data
    • CVE Watchtower
    • Top Exploited CVEs
    • CVE Stats by Vendor
    • Q2 2026 Report
  • Cyber Criminals
  • Data Leak
  • Linux
  • Malware
  • Vulnerability
  • Submit Press Release
  • Weekly Recap
Light/Dark Button
  • Home
  • News
  • Malware
  • BackSwap Bank Trojan uses three new technologies to empty bank accounts
  • Malware

BackSwap Bank Trojan uses three new technologies to empty bank accounts

Do Son May 30, 2018 4 minutes read
Add Daily CyberSecurity as a preferred source on Google

ESET’s security experts recently discovered a new type of banking Trojan, BackSwap Bank Trojan, which uses three new technologies to steal funds from bank customers. Technology has never appeared on previous bank Trojans.

Generally speaking, bank Trojans will steal money from bank customers by adopting two main techniques: The first technique relies on changing local by intercepting requests related to bank websites and redirecting users to “clone sites” through proxies. DNS and Internet options settings where the attacker collects login credentials and acts as a middleman between the user and the bank; the second technique relies on injecting malicious code into the web page through the browser’s JavaScript console or directly when the user accesses the bank account Inject malicious code into the address bar.

Security experts said that the former technology has rarely been adopted, and the latter technology is currently the mainstream technology used by many popular banking Trojans, including Dridex, Ursnif, Zbot, Trickbot, and Qbot.

Although this technology has been popular with cybercriminals since its appearance, it has been very effective. However, after years of development, antivirus software vendors have modified their applications to scan for process injection attempts and have been able to detect these events well.

On the other hand, browser vendors have also made similar changes to their products to prevent bank Trojans from easily being able to eavesdrop on browser internal functions, which often allow Trojans to be inserted into the page content.

Nowadays, process injection technology is even more of a headache for the bank Trojan developers, because they must check and modify the injected code after each browser update. This is because the constant modification of the browser vendors can always make some of their previously written Malicious code becomes meaningless.

ESET revealed it discovered the BackSwap trojan, which came with three new techniques that are completely different from all previous trojans.

The first technology implemented by BackSwap allows Trojan horse programs to detect when users access online banking services. Malicious code uses a native Windows mechanism called “message loop.” Using this mechanism, an attacker can monitor the website that the user is currently visiting through a browser.

Security experts point out that the current version of BackSwap can be used for most popular browsers, such as Google Chrome, Mozilla Firefox, and Internet Explorer.

Once it detects that the browser is accessing and loading a bank-related website, BackSwap uses one of the following two techniques to tamper with the loaded content. For both technologies, the Trojan horse does not inject malicious code into the browser’s process but simulates keystrokes to execute JavaScript injections appropriate to the bank.

In the initial release (that is, the second technique), BackSwap inserts a malicious script into the clipboard and simulates pressing the key combination for opening the browser developer tool (CTRL + SHIFT + J in Google Chrome, Mozilla Firefox CTRL + SHIFT + K) and then simulate pressing CTRL + V to paste the contents of the clipboard into the browser developer tools and simulate pressing ENTER to execute this content (ie malicious script). Finally, BackSwap simulates pressing the key combination again to close the developer tools.

In the latest version (ie, the third technology), this technology has changed. BackSwap no longer interacts with the browser developer tools but instead executes malicious scripts directly from the browser address bar via the JavaScript protocol. It simulates pressing Ctrl + L to select the address bar, then simulates pressing DELETE to clear the URL field, by calling SendMessageA in the loop, typing “types” in “javascript:”, and impersonating the malicious script by pressing CTRL + V The code is pasted after the “javascript:” string. Finally, execute the script by simulating ENTER. At the end of this process, the address bar will be cleared to eliminate any signs of intrusion.

Security experts believe that the three new technologies used by BackSwap are easy to implement and very effective. They are likely to be adopted by other malicious software within a short period of time. The good news is that BackSwap currently only supports the alteration of the portals of five Polish banks – PKO Bank Polski, Bank Zachodni WBK SA, mBank, ING and Pekao.

Although BackSwap does not currently pose a global threat, ESET has stated that it has informed all major browser vendors about the three new technologies and hopes that they will adopt a targeted strategy in the launch of the new version. When these technologies are used by other malicious software, the damage caused by such attacks is mitigated.

 

Related coverage

  • Virtual Hard Drives: The New Bypass for Secure Email Gateways and Antivirus Scanners
  • Streaming Fraud: “Massiv” Android Trojan Uses Fake IPTV Apps for Complete Device Takeover
  • Security Alert: AsyncRAT Malware Evades Detection with Null-AMSI
  • PostgreSQL Servers Hacked: 1,500+ Cloud Systems Mining Crypto via CPU_HU
  • ScreenConnect AsyncRAT Campaign Hides Inside Fake Freeware
Track all actively exploited CVEs →

Support Our Threat Intelligence

If you find our CVE report and cybersecurity news helpful, consider supporting our work.

Buy Me a Coffee Logo Buy Me a Coffee PayPal
Crypto QR Code
USDT (TRC20):
TN8BdV8cp4T1Cd28gK9qTAnZknzzuwyUtm
USDT (ERC20):
0x3725e1a7d3bc5765499fa6aaafe307fabcd75bce

Share this article:

Facebook Post LinkedIn Telegram
Written by
@DdoS · Security Researcher

Do Son

Do Son is the Founder and Editor of SecurityOnline.info. Working in cybersecurity since 2013, he reports on vulnerabilities, malware, and emerging threats, providing timely analysis to help organizations and individuals stay ahead of evolving risks.

Tags: BackSwap Bank Trojan

Search

Translation

CVE WATCHTOWER
🚨

Receive alerts for vulnerabilities being exploited in the wild.

⚡

Get notified instantly when a Proof of Concept (PoC) exploit is published.

🔍

Access critical info on vulnerabilities even when marked as "RESERVED".

🧠

Insights powered by decades of expertise and global intelligence sources.

🎯

Customize alerts with up to 10 keywords for your specific tech stack.

📊

Export the raw CVE database for SIEM integration and reporting.

Upgrade Package

🚨 Active Exploits in the Wild

  • CVE-2026-6875CVSS 9.5
    ServiceNow has addressed a remote code execution vulnerability that was identified in the ServiceNow AI platform. This vulnerability...
    Admin intel📅 Updated: Jul 18, 2026
  • CVE-2026-39808CVSS 9.8
    A improper neutralization of special elements used in an os command ('os command injection') vulnerability in Fortinet FortiSandbox...
    CISA KEV📅 Added to KEV: Jul 16, 2026
  • CVE-2026-25089CVSS 9.8
    A improper neutralization of special elements used in an os command ('os command injection') vulnerability in Fortinet FortiSandbox...
    CISA KEV📅 Added to KEV: Jul 16, 2026
  • CVE-2026-58644CVSS 9.8
    Deserialization of untrusted data in Microsoft Office SharePoint allows an unauthorized attacker to execute code over a network.
    CISA KEV📅 Added to KEV: Jul 16, 2026
  • CVE-2023-4346CVSS 7.5
    KNX devices that use KNX Connection Authorization and support Option 1 are, depending on the implementation, vulnerable to...
    CISA KEV📅 Added to KEV: Jul 15, 2026
  • CVE-2026-53362
    In the Linux kernel, the following vulnerability has been resolved: ipv6: account for fraggap on the paged allocation...
    Admin intel📅 Updated: Jul 14, 2026
  • CVE-2026-46242CVSS 7.8
    In the Linux kernel, the following vulnerability has been resolved: eventpoll: fix ep_remove struct eventpoll / struct file...
    Admin intel📅 Updated: Jul 14, 2026
  • CVE-2026-56155CVSS 7.8
    Insufficient granularity of access control in Active Directory Federation Services (AD FS) allows an authorized attacker to elevate...
    CISA KEV📅 Added to KEV: Jul 14, 2026
Powered by CVE Watchtower

🔴 Live Critical Threats

  • CVE-2026-16117CVSS 10.0
    Impact: @fastify/http-proxy versions up to and including 11.5.0 fail to rewrite the...
  • CVE-2026-47865CVSS 9.8
    VMware Avi Load Balancer contains an authentication bypass vulnerability. A malicious user...
  • CVE-2026-55518CVSS 9.6
    Avo is a framework to create admin panels for Ruby on Rails...
  • CVE-2026-54159CVSS 10.0
    PrestaShop ps_facetedsearch is a module that adds layered navigation filters. From 3.0.0...
  • CVE-2026-48062CVSS 9.8
    CodeIgniter is a PHP full-stack web framework. Prior to 4.7.3, the ext_in...
  • CVE-2026-13446CVSS 9.8
    IBM Langflow OSS 1.0.0 through 1.10.1 contains hard-coded credentials, such as a password...
  • CVE-2026-8859CVSS 9.9
    IBM Langflow OSS 1.0.0 through 1.10.0 Langflow could allow an attacker to...
  • CVE-2026-8635CVSS 9.9
    IBM Langflow OSS 1.0.0 through 1.10.0 allows authenticated users to escalate privileges...
  • CVE-2026-8505CVSS 9.8
    IBM Langflow OSS 1.0.0 through 1.10.0 has a vulnerability in Langflow's webhook...
  • CVE-2026-8476CVSS 9.9
    IBM Langflow OSS 1.0.0 through 1.10.0 contain a critical remote code execution...
Powered by CVE WATCHTOWER

Our Websites
  • Penetration Testing Tools
  • The Daily Information Technology
  • Top Exploited CVEs
  • Daily CyberSecurity

    • About SecurityOnline.info
    • Advertise with us
    • Announcement
    • Contact
    • Contributor Register
    • Login
    • Disclaimer
    • DCMA
    • Privacy Policy
    • About SecurityOnline.info
    • Advertise on SecurityOnline.info
    • Contact Us

    When you purchase through links on our site, we may earn an affiliate commission. Here’s how it works

    • CVE Watchtower
    • CVE Statistics by Vendor 2026
    • Q2 2026 Report
    • Top Exploited CVEs
    • Linkedin
    • Twitter
    • Facebook
    • Youtube
    © 2017 - 2026 Daily CyberSecurity. All Rights Reserved.