Web injection campaign endangers thousands of bank clients

A malware operation that emerged earlier this year has leveraged a sophisticated web injection campaign that has stolen the banking data from over 50,000 individuals across 40 prominent banks in North America, South America, Europe, and Japan.

The cybercriminals behind this campaign have showcased a high level of preparation that started at least December 2022, when they first purchased malicious domains.

Based on reports, the cybercriminal campaign relies on JavaScript web injections to compromise users’ banking information. The attackers target a specific page structure many banks share, using scripts loaded from their servers to intercept important user credentials and one-time passwords (OTPs).

The consequences of this intrusion could significantly impact a user since it could allow the attackers to acquire unauthorised access to victims’ banking accounts, alter security settings, and conduct unauthorised transactions.

 

The primary vector for the web injection campaign is still a mystery.

 

According to investigations, the web injection campaign commences with the initial infection of the victim’s device through undisclosed means. The possible infection vector of this attack could be malvertizing or phishing.

Once users unknowingly visit the attackers’ compromised or malicious websites, the malware launches a new script tag with an externally hosted script. Subsequently, the attacker could load this obfuscated script onto the victim’s browser, enabling them to discreetly modify webpage content to capture login credentials and intercept OTPs.

In addition, the additional step of loading the malicious script separately enhances the elusiveness of the malware, making it harder to detect through standard analysis checks. The script disguises itself by impersonating legitimate JavaScript content delivery networks, employing domains like cdnjs[.]com and unpkg[.]com.

Furthermore, the campaign adds another layer of sophistication to its evasion tactics by scrutinising the device for specific security products before execution.

The dynamic nature of the script is a critical feature of the attack since it allows itself to adapt to instructions from its operators’ C2 server constantly. The script has multiple operational states that enable the campaign to have a diverse range of data exfiltration actions, from prompting for phone numbers or OTP tokens to displaying error messages or simulating page loading.

Separate research also has identified loose connections between this campaign and DanaBot, a prevalent modular banking trojan circulating since 2018. This campaign is still active, so users should have heightened vigilance, especially the ones accessing online banking portals and apps.

Bank clients should stay informed about the latest threats and implement robust cybersecurity measures to safeguard personal and financial information from sophisticated attacks.