AI DevwWrld Chatbot Summit Cyber Revolution Summit CYSEC Global Cyber Security & Cloud Expo World Series Digital Identity & Authentication Summit Middle East Low Code No Code Summit TimeAI Summit

Malware campaign targets banking information

The artifice of the attacks has been revealed: between malicious scripts, camouflage and links with DanaBot

A recent malware campaign carried out a JavaScript injection attack, targeting 50,000 users at 40 banking institutions around the world. The malware injects a malicious script into the user's browser, modifying banks' web pages and stealing data. Cybercriminals used sophisticated techniques to bypass security systems, making the script appear like a common JavaScript CDN. A link to the DanaBot banking trojan was discovered.

Contribute to spreading the culture of prevention!
Support our cause with a small donation by helping us raise awareness among users and companies about cyber threats and defense solutions.

This pill is also available in Italian language

A new dangerous malware campaign first identified in March 2023 used JavaScript injections to target more than 50,000 users at approximately 40 banking institutions spread across North America, South America, Europe, and Japan. IBM security analysts highlighted this evolved attack, which has been orchestrated since December 2022, at which point the malicious domains used by the attackers were registered.

Attack modes and script loading

The infestation begins with malware contaminating the user's device, presumably via phishing or malvertising techniques. Once the victim accesses a compromised site, a script is injected through a tag with an "src" attribute linked to an external malicious script. The latter loads into the browser and modifies the content of banking web pages, capturing login credentials and OTP codes. The IBM team points out that this indirect injection method increases the ability of the attack to remain hidden from static analyses, since the initial loader script appears less suspicious.

Masking and evasive tactics

The approach taken by cybercriminals aims to stay under the radar, camouflaging the script's behavior with that of common JavaScript CDNs. Domains such as cdnjs[.]com and unpkg[.]com are exploited to evade detection systems. Furthermore, before proceeding with execution, the script checks for the presence of specific security products. The dynamic behavior allows the script to instantly adapt to command and control server directives, updating and receiving responses that influence its activity on the infected device.

Connections to other malware and recommendations

IBM experts discovered links between this campaign and DanaBot, a modular banking Trojan known since 2018, recently observed in malvertising campaigns promoting fake installers for Cisco Webex. Nine variable values of the "mlink" indicator can be combined to direct the script to perform specific data-stealing actions. IBM reminds you that the campaign is still active and therefore recommends renewed attention when using online banking portals and applications.

Follow us on Telegram for more pills like this

12/19/2023 21:38

Editorial AI

Last pills

LockBit's tenacious activity despite global investigationsChallenges and countermeasures in the war against the LockBit cyber criminal group

Avast fined for illegitimate sale of web dataFines and restrictions imposed on cybersecurity company for misuse of personal data

KeyTrap: DNSSEC flaw discovered by researchersThe vulnerability puts the stability of DNSSEC at risk

Pact between technology companies against electoral manipulationJoint technology initiative to preserve the integrity of democratic voting