A global network of banks is currently under threat from a sophisticated group of hackers utilizing JavaScript web injections to pilfer users’ crucial bank account information.
According to IBM’s Security Trustee unit, this extensive campaign, initiated in March and meticulously prepared since December 2022, has set its sights on 40 banks spanning North and South America, Europe, and Japan.
The primary objective of the attackers, as revealed by IBM security researcher Tal Langus in a recent report, is to compromise widely-used banking applications. Once the malicious software takes root, it intercepts users’ credentials, potentially paving the way for the illicit monetization of sensitive banking information.
IBM’s Security Trustee unit has documented the attempted theft of banking credentials and other data from over 50,000 individuals as part of this ongoing campaign. Analysts from cybersecurity firm Flashpoint have identified potential links between this threat and DanaBot, a banking trojan notorious for its role in financial information theft. The third version of DanaBot was reportedly introduced in July on the Russian-forum, Exploit.
Web injection attacks, also known as man-in-the-browser attacks, are not novel, involving the injection of malicious code into a web page to pilfer credentials and other sensitive data when accessed by users. In this instance, the threat actors acquired malicious domains in December 2022, initiating the campaigns shortly thereafter. IBM’s Langus noted that these campaigns are still active, underscoring the ongoing nature of the cyber threat.
What sets this campaign apart is the unique approach employed by the hackers. The JavaScript malware responsible for the attacks is hosted on the hackers’ server and then loaded onto the victim’s browser.
Langus observed that, unlike previous malware, which directly injected code into compromised web pages, this campaign utilizes an external resource hosted on the attackers’ server. This resource is retrieved by injecting a script tag into the head element of the page’s HTML document, with the src attribute set to the malicious domain.
The method by which the malware initially infects victims’ devices remains unclear, leaving cybersecurity experts to speculate about potential avenues such as phishing or malvertising. When a victim accesses a compromised page on a bank’s website, the highly obfuscated malicious code comes into play, altering the login page and facilitating the theft of credentials and one-time passwords (OTPs).
Dodging Detection
The culprits orchestrating the script employ various tactics to stay under the radar. Deliberately making the malware hard to decipher, it presents itself as a single line of code containing both the encoded script string and a concise decoding script.
To camouflage the decoder code, a substantial string is appended at both the beginning and end. The encoded string is then handed over to a function builder nested within an anonymous function. This process unfolds swiftly, executing the malicious script.
Upon initial inspection, the network traffic seems ordinary, resembling a legitimate content delivery network (CDN) for a JavaScript library. Additionally, the injection scrutinizes the current page URL for a popular security vendor’s JavaScript agent, identified by the keyword ‘adrum.’ If detected, the injection refrains from running.
A patching function is also in place, erasing any traces of the malware.
Multifaceted Operations
The dynamic script consistently communicates with the command-and-control (C2) server and the page structure, adjusting its actions based on the received responses.
The script’s behavior hinges on obtaining a specific response from the server, dictating the type of injection to execute, if any. This communication structure significantly boosts the resilience of the web injection. Langus likens it to a client-server architecture, where the script maintains a continuous flow of updates to the server while seeking further instructions.
IBM notes the transmission of an “mlink” flag by the C2 server in response to the initial request. This flag dictates the actions of the malicious script, ranging from soliciting OTP phone numbers or tokens to introducing a page loading overlay mimicking the original website’s animation, or displaying messages about a supposed error on the bank’s site.
An error message, claiming online banking services will be unavailable for 12 hours, aims to dissuade victims from attempting account access. This strategic move provides the threat actor with a window to carry out uninterrupted actions.
The script exhibits persistence, with the threat actor-controlled server identifying the compromised device through the bot ID. Even if users attempt to refresh or reload the page, the injection persists from its last executed step.
Langus issues a warning, stating that the malware poses a substantial threat to the security of financial institutions and their customers.
“This sophisticated threat showcases advanced capabilities, particularly in executing man-in-the-browser attacks, with its dynamic communication, web injection methods, and the ability to adapt based on server instructions and current page state,” Langus emphasizes.