Web injections, a favoured technique employed by various banking Trojans, have been a persistent threat in the realm of cyberattacks.
These malicious injections enable cybercriminals to manipulate data exchanges between users and web browsers, potentially compromising sensitive information.
In a new finding, it has been revealed that the malware campaign that first came to light in March 2023 has used JavScript web injections in an attempt to steal data from over 50 banks, belonging to around 50,000 used in North America, South America, Europe, and Japan.
IBM Security has dissected some JavaScript code that was injected into people's online banking pages to steal their login credentials, saying 50,000 user sessions with more than 40 banks worldwide were compromised by the malicious software in 2023.
As IBM's researchers explained, it all starts with a malware infection on the victim's endpoint.
When the victim visits a malicious site, the malware will inject a new script tag which is then loaded into the browser and modifies the website's content.
IBM says this extra step is unusual, as most malware performs web injections directly on the web page.
This new approach makes the attacks more stealthy, as static analysis checks are unlikely to flag the simpler loader script as malicious while still permitting dynamic content delivery, allowing attackers to switch to new second-stage payloads if needed.
It's also worth noting that the malicious script resembles legitimate JavaScript content delivery networks, using domains like cdnjs[.
The script performs checks for specific security products before execution.
Judging by the evidence to hand, it appears the Windows malware DanaBot, or something related or connected to it, infects victims' PCs - typically from spam emails and other means - and then waits for the user to visit their bank website.
At that point, the malware kicks in and injects JavaScript into the login page.
This injected code executes on the page in the browser and intercepts the victim's credentials as they are entered, which can be passed to fraudsters to exploit to drain accounts.
The script is fairly smart: it communicates with a remote command-and-control server, and removes itself from the DOM tree - deletes itself from the login page, basically - once it's done its thing, which makes it tricky to detect and analyze.
These include injecting a prompt for the user's phone number or two-factor authentication token, which the miscreants can use with the intercepted username and password to access the victim's bank account and steal their cash.
The script can also inject an error message on the login page that says the banking services are unavailable for 12 hours.
Other actions include injecting a page loading overlay as well as scrubbing any injected content from the page.
DanaBot or similar malware entails the manipulation of user data through JavaScript injections, which allows them to steal login credentials with ease.
In this dynamic attack detected by IBM Security, malicious scripts are injected directly into banking pages, evading conventional detection methods, and resulting in a dynamic attack.
As a way to prevent malware infections, users are recommended to keep their software up-to-date, enable multi-factor authentication, and exercise caution when opening emails to prevent malware infections.
This Cyber News was published on www.cysecurity.news. Publication date: Sat, 23 Dec 2023 12:43:10 +0000