In a new finding, it has been revealed that the malware campaign that first came to light in March 2023 has used JavScript web injections in an attempt to steal data from over 50 banks, belonging to around 50,000 used in North America, South America, Europe, and Japan.
The malware was first discovered by IBM's security team, where the researchers noted that the threat actors have been preparing for the campaign since December 2022, after buying the malicious domains.
The attacks used scripts that were loaded from the attacker's server to intercept user credentials and one-time passwords by focusing on a particular page structure that is shared by numerous institutions.
The attackers can access the victim's bank account, lock them out by altering security settings, and carry out illicit transactions by obtaining the aforementioned information.
A Stealthy Attack Chain The attack begins when the threat actors infect the victim's device with the malware.
While IBM's report did not specify the details of this stage, it is more likely that this is done through malvertizing, phishing emails, etc.
The malicious software inserts a new script tag with a source property pointing to an externally hosted script once the victim visits the malicious websites of the attackers.
On the victim's browser, the malicious obfuscated script is loaded to change the content of webpages, obtain login credentials, and intercept one-time passcodes.
IBM found this extra step unusual since most malware can perform web injections directly on the web page.
It is also noteworthy to mention that the malicious script uses names like cdnjs[.
Com to mimic authentic JavaScript content delivery networks in an attempt to avoid detection.
The script verifies the existence of particular security products before execution.
The script tends to continuously mend its behaviour to the command and control server's instructions, sending updates and receiving specific outputs that guide its activity on the victim's device.
According to IBM, this campaign is still a work in progress, thus the firm has urged online users to use online banking portals and apps with increased caution.
This Cyber News was published on www.cysecurity.news. Publication date: Wed, 20 Dec 2023 14:13:04 +0000