Creating effective and stealthy banking malware is becoming increasingly difficult, forcing malware authors to come up with innovative methods. The latest creative burst in this malware segment comes from a group that initially came up with malware stealing cryptocurrency by replacing wallet addresses in the clipboard.
BackSwap eschews the usual “process injection for monitoring browsing activity” trick. Instead, it handles everything by working with Windows GUI elements and simulating user input.
BackSwap monitors the visited URLs, looks for and detects bank-specific URLs and window titles by hooking key window message loop events.
Read more: Help Net Security