A new malware campaign, emerging in March, uses web injections of JavaScrip codex malicious intent to try to steal the banking data of more than 50 thousand account holders from 40 banks in North America, South America, Europe and Japan.
The IBM security team discovered the threat and reported that the campaign has been in preparation since at least December 2022, when the malicious domains were purchased.
The attacks unfolded through scripts loaded from the attacker’s server, targeting a specific page structure common across many banks to intercept user credentials and one-time passwords (OTPs). By capturing the information, attackers can log into the victim’s bank account, lock it by changing security settings, and carry out unauthorized transactions.
The attack begins with the initial malware infection of the victim’s device. IBM’s report does not delve into the details of this step, but explains that after the victim visits the compromised or malicious websites, the malware injects a new script tag with a source (src) attribute pointing to an externally hosted script. . The malicious obfuscated script is loaded into the victim’s browser to modify web page content, capture login credentials and intercept OTP passwords.
IBM says this extra step is unusual, as most malware performs web injections directly into the web page. According to the company, this new approach makes attacks stealthier, as static analysis checks are unlikely to flag the simplest loader script as malicious, while also enabling dynamic content delivery, enabling attackers to change for new second stage payloads if necessary.
It’s also worth noting that the malicious script resembles legitimate JavaScript content delivery networks (CDN) using domains like cdnjs[.] com and unpkg[.] com, to avoid detection. Additionally, the script performs checks for specific security products before execution.
The script is dynamic, constantly adjusting its behavior to instructions from the command and control (C&C) server, sending updates and receiving specific responses that guide its activity on the breached device. It has several operational states determined by a server-set “mlink” flag, including injecting prompts for phone numbers or OTP tokens, displaying error messages, or simulating page loading, all part of its theft strategy. of data.
IBM says that nine “mlink” variable values can be combined to order the script to perform specific and distinct data exfiltration actions, so that a diverse set of commands are supported. Researchers found loose connections between this new campaign and DanaBot, a modular banking trojan that has been circulating since 2018 and was recently seen spreading via Google Search malvertising promoting fake Cisco Webex installers.
According to IBM, the campaign is still ongoing, so greater vigilance is advised when using online banking portals and applications.
Source: CisoAdvisor, SecurityIntelligence
