Dozens of banks around the word are in the crosshairs of a threat group using JavaScript web injections to steal users' bank account credentials.
The campaign, which the hackers have been preparing for since December 2022 and which emerged in March, has targeted 40 banks in North and South America, Europe, and Japan, and has tried to steal banking credentials and other data of more than 50,000 people, according to IBM's Security Trustee unit.
There are indicators that the campaign may be linked to DanaBot, a banking trojan that's used to steal financial information.
According to analysts at cybersecurity firm Flashpoint, the third version of DanaBot rolled out in July on Exploit, a Russian-language forum.
Also known as man-in-the-browser attack, bad actors inject malicious code into a web page that, when viewed by a person, can steal credentials and other information.
In this case, the threat actors bought malicious domains in December 2022 and starting running the campaigns soon after, according to IBM. The campaigns are still underway, Langus wrote.
In an unusual twist, the JavaScript malware is housed on the hackers' server and loaded onto the victim's browser.
It's unclear how the malware initially infects the victim's device, though it could be through such avenues as phishing or malvertising.
If a victim goes to a compromised page on a bank's website, the highly obfuscated malicious code changes the login page, enabling it to steal credentials and one-time passwords.
The threat actors running the script use several techniques to evade detection.
The malware is intentionally obfuscated and returned as a single line of code that include both the encoded script string as well as small decoding script.
A large string is added at both the beginning and end of the decoder code to conceal it and the encoded string is passed onto a function builder that's in an anonymous function and executed quickly, which executes the malicious script.
There also is a patching function that also removes evidence of the malware.
The dynamic script continuously queries the command-and-control server and the page structure, changing its actions based on the responses.
The threat actor-controlled server keeps identifying the compromised device by the bot ID, so the injection will continue from its previously executed step even if the user tries to refresh or reload the page.
This Cyber News was published on securityboulevard.com. Publication date: Fri, 22 Dec 2023 15:43:05 +0000