New Web injections campaign steals banking data from 50,000 people

A new malware campaign that emerged in March 2023 used JavaScript web injections to try to steal the banking data of over 50,000 users of 40 banks in North America, South America, Europe, and Japan.

IBM's security team discovered this evasive threat and reported that the campaign has been under preparation since at least December 2022, when the malicious domains were purchased.

The attacks unfolded via scripts loaded from the attacker's server, targeting a specific page structure common across many banks to intercept user credentials and one-time passwords (OTPs).

By capturing the above information, the attackers can log in to the victim's banking account, lock them out by changing security settings, and perform unauthorized transactions.

A stealthy attack chain

The attack begins with the initial malware infection of the victim's device. IBM's report doesn't delve into the specifics of this stage, but it could be via malvertizing, phishing, etc.

Once the victim visits the attackers' compromised or malicious sites, the malware injects a new script tag with a source ('src') attribute pointing to an externally hosted script.

The malicious obfuscated script is loaded on the victim's browser to modify webpage content, capture login credentials, and intercept one-time passcodes (OTP).

IBM says this extra step is unusual, as most malware performs web injections directly on the web page.

This new approach makes the attacks more stealthy, as static analysis checks are unlikely to flag the simpler loader script as malicious while still permitting dynamic content delivery, allowing attackers to switch to new second-stage payloads if needed.

It's also worth noting that the malicious script resembles legitimate JavaScript content delivery networks (CDN), using domains like cdnjs[.]com and unpkg[.]com, to evade detection. Furthermore, the script performs checks for specific security products before execution.

The script is dynamic, constantly adjusting its behavior to the command and control server's instructions, sending updates, and receiving specific responses that guide its activity on the breached device.

It has multiple operational states determined by a "mlink" flag set by the server, including injecting prompts for phone numbers or OTP tokens, displaying error messages, or simulating page loading, all part of its data-stealing strategy.

IBM says nine "mlink" variable values can be combined to order the script to perform specific, distinct data exfiltration actions, so a diverse set of commands is supported.

The researchers have found loose connections between this new campaign and DanaBot, a modular banking trojan that has been circulated in the wild since 2018 and was recently seen spreading via Google Search malvertising promoting fake Cisco Webex installers.

According to IBM, the campaign is still underway, so heightened vigilance is advised when using online banking portals and apps.