AI DevwWrld CyberDSA Chatbot Summit Cyber Revolution Summit CYSEC Global Cyber Security & Cloud Expo World Series Digital Identity & Authentication Summit Asian Integrated Resort Expo Middle East Low Code No Code Summit TimeAI Summit

Malware campaign targets banking information

The artifice of the attacks has been revealed: between malicious scripts, camouflage and links with DanaBot

A recent malware campaign carried out a JavaScript injection attack, targeting 50,000 users at 40 banking institutions around the world. The malware injects a malicious script into the user's browser, modifying banks' web pages and stealing data. Cybercriminals used sophisticated techniques to bypass security systems, making the script appear like a common JavaScript CDN. A link to the DanaBot banking trojan was discovered.

This pill is also available in Italian language

A new dangerous malware campaign first identified in March 2023 used JavaScript injections to target more than 50,000 users at approximately 40 banking institutions spread across North America, South America, Europe, and Japan. IBM security analysts highlighted this evolved attack, which has been orchestrated since December 2022, at which point the malicious domains used by the attackers were registered.

Attack modes and script loading

The infestation begins with malware contaminating the user's device, presumably via phishing or malvertising techniques. Once the victim accesses a compromised site, a script is injected through a tag with an "src" attribute linked to an external malicious script. The latter loads into the browser and modifies the content of banking web pages, capturing login credentials and OTP codes. The IBM team points out that this indirect injection method increases the ability of the attack to remain hidden from static analyses, since the initial loader script appears less suspicious.

Masking and evasive tactics

The approach taken by cybercriminals aims to stay under the radar, camouflaging the script's behavior with that of common JavaScript CDNs. Domains such as cdnjs[.]com and unpkg[.]com are exploited to evade detection systems. Furthermore, before proceeding with execution, the script checks for the presence of specific security products. The dynamic behavior allows the script to instantly adapt to command and control server directives, updating and receiving responses that influence its activity on the infected device.

Connections to other malware and recommendations

IBM experts discovered links between this campaign and DanaBot, a modular banking Trojan known since 2018, recently observed in malvertising campaigns promoting fake installers for Cisco Webex. Nine variable values of the "mlink" indicator can be combined to direct the script to perform specific data-stealing actions. IBM reminds you that the campaign is still active and therefore recommends renewed attention when using online banking portals and applications.

Follow us on Twitter for more pills like this

12/19/2023 21:38

Marco Verro

Last pills

Zero-day threat on Android devices: Samsung prepares a crucial updateFind out how Samsung is addressing critical Android vulnerabilities and protecting Galaxy devices from cyber threats

CrowdStrike: how a security update crippled the tech worldGlobal impact of a security update on banking, transportation and cloud services: what happened and how the crisis is being addressed

Checkmate the criminal networks: the Interpol operation that reveals the invisibleFind out how Operation Interpol exposed digital fraudsters and traffickers through extraordinary global collaboration, seizing luxury goods and false documents

Google Cloud security predictions for 2024: how AI will reshape the cybersecurity landscapeFind out how AI will transform cybersecurity and address geopolitical threats in 2024 according to Google Cloud report