These malicious injections enable cyber criminals to manipulate data exchanges between users and web browsers, potentially compromising sensitive information.
In March 2023, security researchers at IBM Security Trusteer uncovered a new malware campaign using JavaScript web injections.
Since the beginning of 2023, we have seen over 50,000 infected user sessions where these injections were used by attackers, indicating the scale of threat activity, across more than 40 banks that were affected by this malware campaign across North America, South America, Europe and Japan.
Our analysis indicates that in this new campaign, threat actors' intention with the web injection module is likely to compromise popular banking applications and, once the malware is installed, intercept the users' credentials in order to then access and likely monetize their banking information.
Upon examining the injection, we discovered that the JS script is targeting a specific page structure common across multiple banks.
This web injection doesn't target banks with different login pages, but it does send data about the infected machine to the server and can easily be modified to target other banks.
During our investigation, we observed that the malware initiates data exfiltration upon the initial retrieval of the script.
Figure 1: The initial obfuscated GET request fetching the script.
The retrieved script is intentionally obfuscated and returned as a single line of code, which includes both the encoded script string and a small decoding script.
The encoded string is then passed to a function builder within an anonymous function and promptly executed, which also initiates the execution of the malicious script.
Figure 2: Encoded string passed to de-obfuscation function, followed by removal of artifacts used for decoding the script.
The script's behavior is highly dynamic, continuously querying both the command and control server and the current page structure and adjusting its flow based on the information obtained.
The structure is similar to a client-server architecture, where the script maintains a continuous flow of updates to the server while requesting further instructions.
To keep a record of its actions, the script sends a request to the server, logging pertinent information, such as the originating function, success or failure status and updates on various flags indicating the current state.
Figure 5: An example of multiple traffic logs, sent within a few seconds of the script running.
The script relies on receiving a specific response from the server, which determines the type of injection it should execute, if any.
The script is executed within an anonymous function, creating an object that encompasses various fields and helper functions for its usage.
Following the initial configuration, the script sends a request to the server providing initial details, and assigns a callback to handle the response, allowing the execution to proceed.
Subsequently, the script proceeds to remove itself from the DOM tree, enhancing its ability to conceal its actions.
If the token is found or wasn't looked for in the first place, the script sends all the gathered information to the server.
This Cyber News was published on securityintelligence.com. Publication date: Tue, 19 Dec 2023 14:43:05 +0000