Web injections have long been a potent tool for cybercriminals, especially in the banking sector. Recently, a significant resurgence in these attacks has been observed, with a new malware campaign impacting over 40 banks across various continents. This blog post delves into the intricacies of this campaign, examining its methods, impacts, and the urgent need for vigilance in digital banking security.
A Sophisticated Campaign Unveiled
In March 2023, IBM Security Trusteer researchers uncovered a widespread campaign using JavaScript web injections, potentially linked to the notorious DanaBot malware. Over 50,000 infected user sessions were identified, highlighting the scale of this threat.
The Malware's Modus Operandi
The attackers' objective is to compromise banking applications, intercept user credentials, and monetize this information. The malware targets a specific page structure common across multiple banks, injecting malicious content when certain conditions are met, such as a specific keyword and login button ID. The injection mechanism involves adding event listeners to steal credentials and one-time password (OTP) tokens.
Code Delivery Techniques
Unlike previous attacks where malware directly injected code into web pages, this campaign uses an external script hosted on the attacker's server, retrieved by injecting a script tag into the HTML document of the targeted page. Data exfiltration begins immediately upon script retrieval, suggesting the infection occurs at the operating system level before browser session injection.
Evasion Tactics
The malware employs sophisticated evasion techniques, including obfuscation of the retrieved script and function patching to remove traces of malware from the browser session. It also avoids execution if certain security products are detected.
Dynamic Web Injection and Script Flow
The malware script exhibits dynamic behavior, continuously communicating with the command and control server and adjusting actions based on the server's instructions and the current page state. The script flow involves various stages, from initial configuration to executing specific actions like credential theft, token collection, and manipulation of the user interface.
Potential Operational States
The malware can adopt various operational states, determined by the "mlink" flag value received from the server. These states range from prompting users for additional authentication details to injecting error messages and overlays to disrupt user interaction.
Urging Vigilance
The widespread impact of this malware campaign underscores the advanced capabilities of modern cyber threats. Financial institutions and their customers face significant risks, necessitating heightened vigilance. Safe practices include monitoring accounts for suspicious activities, avoiding downloads from unknown sources, and adhering to best practices in password and email security.
Conclusion
As criminals leverage sophisticated techniques, the need for robust security measures and continuous vigilance becomes ever more critical. By staying informed and proactive, both individuals and organizations can better safeguard against these emerging dangers. The resurgence of web injection attacks in the banking sector highlights the evolving nature of cyber threats.
