HITCON 101 - BackSwap InfinityWar-Deep Dive Analysis of Banking Trojan / IokJin Sih, KunYu Chen === BackSwap intro Online Banking Trojan shown since 2018 Step1 -SetWinEventHook() listen the browser Step2 - Using API to get the browser URL Step3 - JavaScript Injection Step4 - 惡意javascript 干擾數位 Basic Information file name - fake-7zip.exe Perpartion - War 1 -Peel off the Shellcode -find the hidden Shellcode , that's hidden in 7-Zip Using Shellcode Loader to load Backswap shellcode in program 5 Steps to peel off the shellcode 1.BackSwap loader locate initterm() 2. VirtualAlloc() find the call ds:VirtualAlloc 3.Shellcode ram locate 5.hook api 監控url 於瀏覽器開發者工具輸入惡意javascript 模擬人員操作 API Hashing -API Hash -> OS DLL Ram location 0xFBEDE6FE-> user32.dll:SetWinEventHock() 0xBE815D52-> ntdll.dll: NtdllDefWindowProc_A() 0x03C35711->user32.dll:EnableWindow() API Hash Table input:DLL >Hash handling > Output Hash SetWinEventHook 0xFBEDE6FE ###### tags: `HITCONCMT2019`,`HITCONCMT`,`HITCON`