AI DevwWrld Chatbot Summit Cyber Revolution Summit CYSEC Global Cyber Security & Cloud Expo World Series Digital Identity & Authentication Summit Asian Integrated Resort Expo Middle East Low Code No Code Summit TimeAI Summit

Malware campaign targets banking information

The artifice of the attacks has been revealed: between malicious scripts, camouflage and links with DanaBot

A recent malware campaign carried out a JavaScript injection attack, targeting 50,000 users at 40 banking institutions around the world. The malware injects a malicious script into the user's browser, modifying banks' web pages and stealing data. Cybercriminals used sophisticated techniques to bypass security systems, making the script appear like a common JavaScript CDN. A link to the DanaBot banking trojan was discovered.

This pill is also available in Italian language

A new dangerous malware campaign first identified in March 2023 used JavaScript injections to target more than 50,000 users at approximately 40 banking institutions spread across North America, South America, Europe, and Japan. IBM security analysts highlighted this evolved attack, which has been orchestrated since December 2022, at which point the malicious domains used by the attackers were registered.

Attack modes and script loading

The infestation begins with malware contaminating the user's device, presumably via phishing or malvertising techniques. Once the victim accesses a compromised site, a script is injected through a tag with an "src" attribute linked to an external malicious script. The latter loads into the browser and modifies the content of banking web pages, capturing login credentials and OTP codes. The IBM team points out that this indirect injection method increases the ability of the attack to remain hidden from static analyses, since the initial loader script appears less suspicious.

Masking and evasive tactics

The approach taken by cybercriminals aims to stay under the radar, camouflaging the script's behavior with that of common JavaScript CDNs. Domains such as cdnjs[.]com and unpkg[.]com are exploited to evade detection systems. Furthermore, before proceeding with execution, the script checks for the presence of specific security products. The dynamic behavior allows the script to instantly adapt to command and control server directives, updating and receiving responses that influence its activity on the infected device.

Connections to other malware and recommendations

IBM experts discovered links between this campaign and DanaBot, a modular banking Trojan known since 2018, recently observed in malvertising campaigns promoting fake installers for Cisco Webex. Nine variable values of the "mlink" indicator can be combined to direct the script to perform specific data-stealing actions. IBM reminds you that the campaign is still active and therefore recommends renewed attention when using online banking portals and applications.

Follow us on Twitter for more pills like this

12/19/2023 21:38

Editorial AI

Last pills

Large-scale data leak for Dell: impacts and responsesData of 49 million users exposed: IT security and privacy concerns

Microsoft strengthens cybersecurityNew policies and accountability measures to strengthen cybersecurity at Microsoft

"Emerging Threat: Social Media Platforms Vulnerable to New Exploit"New critical exploit discovered that threatens the security of millions of users of social platforms

Critical VPN flaw discovered: the TunnelVision attackA new type of DHCP attack threatens the security of VPN networks by exposing user data