New Web Injections Campaign Steals Banking Data
Unveiling a Sinister Agenda
In the dynamic realm of cybersecurity, a chilling revelation emerged in March 2023 as a sinister malware campaign unfolded its nefarious agenda. IBM's vigilant security team unearthed a new web injection campaign employing JavaScript to stealthily target over 50,000 users across 40 banks in North America, South America, Europe, and Japan. This campaign had been meticulously brewing since December 2022, marked by the strategic acquisition of malicious domains.
Strategic Exploitation of Common Page Structures
The attackers, displaying prowess in evasiveness, orchestrated their assaults through a sophisticated script tailored to exploit a common page structure shared by numerous banks. The devious script aimed to intercept user credentials and one-time passwords (OTPs), opening the door for unauthorized access to victims' banking accounts. The repercussions were severe, allowing attackers not only to gain entry to the accounts but also to lock out users by manipulating security settings and conduct illicit transactions.
Stealthy Attack Chain Unveiled
Initiating a stealthy attack chain, the assault began with the clandestine infection of the victim's device, a stage shrouded in mystery as IBM's report refrained from detailed exposition. Subsequent steps unfolded as victims visited compromised or malicious sites, where the malware injected a covert script to modify webpage content and clandestinely capture crucial login information and OTPs.
Innovative Approach: External Loader Script
What sets this attack apart is its novel approach, injecting a loader script that operates externally, providing a layer of stealthiness by avoiding direct web page injections. This subtle tactic eludes static analysis checks, allowing attackers to switch to new second-stage payloads without raising suspicions. The malicious script cleverly mimics legitimate JavaScript content delivery networks (CDN), utilizing domains like cdnjs[.]com and unpkg[.]com to slip past detection, coupled with checks for specific security products before execution.
Dynamic Adaptability and Multifaceted Tactics
This dynamic script continually adapts to commands from the control server, toggling between operational states dictated by a "mlink" flag. Its multifaceted nature enables it to execute various data exfiltration actions, including prompts for phone numbers or OTP tokens, displaying fake error messages, and simulating page loading – all meticulously woven into its data-stealing strategy.
Uncovering Connections: DanaBot's Link to the Campaign
Researchers uncovered intriguing parallels, linking this campaign to DanaBot, a modular banking trojan with a history dating back to 2018. Recently, DanaBot was observed leveraging Google Search malvertising to propagate via fake Cisco Webex installers.
Call to Vigilance: Safeguarding Online Banking
As this campaign persists, a clarion call for heightened vigilance reverberates across online banking portals and apps. The shadow of this sophisticated threat underscores the imperative for cybersecurity awareness, urging users to fortify their digital defenses against the ever-evolving arsenal of cyber adversaries. Remember, cybersecurity is everyone's responsibility, whether you're a technical expert or a non-technical user. Stay tuned for more updates on staying safe in the digital world.
