A new malware campaign that emerged in March 2023 used JavaScript web injections to try to steal the banking data of over 50,000 users of 40 banks in North America, South America, Europe, and Japan.
IBM's security team discovered this evasive threat and reported that the campaign has been under preparation since at least December 2022, when the malicious domains were purchased.
The attacks unfolded via scripts loaded from the attacker's server, targeting a specific page structure common across many banks to intercept user credentials and one-time passwords.
By capturing the above information, the attackers can log in to the victim's banking account, lock them out by changing security settings, and perform unauthorized transactions.
The attack begins with the initial malware infection of the victim's device.
IBM's report doesn't delve into the specifics of this stage, but it could be via malvertizing, phishing, etc.
Once the victim visits the attackers' compromised or malicious sites, the malware injects a new script tag with a source attribute pointing to an externally hosted script.
The malicious obfuscated script is loaded on the victim's browser to modify webpage content, capture login credentials, and intercept one-time passcodes.
IBM says this extra step is unusual, as most malware performs web injections directly on the web page.
This new approach makes the attacks more stealthy, as static analysis checks are unlikely to flag the simpler loader script as malicious while still permitting dynamic content delivery, allowing attackers to switch to new second-stage payloads if needed.
It's also worth noting that the malicious script resembles legitimate JavaScript content delivery networks, using domains like cdnjs[.
The script performs checks for specific security products before execution.
The script is dynamic, constantly adjusting its behavior to the command and control server's instructions, sending updates, and receiving specific responses that guide its activity on the breached device.
The researchers have found loose connections between this new campaign and DanaBot, a modular banking trojan that has been circulated in the wild since 2018 and was recently seen spreading via Google Search malvertising promoting fake Cisco Webex installers.
According to IBM, the campaign is still underway, so heightened vigilance is advised when using online banking portals and apps.
Rhadamanthys Stealer malware evolves with more powerful features.
Qbot malware returns in campaign targeting hospitality industry.
Ten new Android banking trojans targeted 985 bank apps in 2023.
DarkGate and Pikabot malware emerge as Qakbot's successors.
BazarCall attacks abuse Google Forms to legitimize phishing emails.
This Cyber News was published on www.bleepingcomputer.com. Publication date: Tue, 19 Dec 2023 20:40:27 +0000