A new malware campaign currently active in the wild has so far captured sensitive banking data of more than 50,000 users at 40 banks around the world, experts warn.
Cybersecurity researchers at IBM say the campaign uses unusual tactics that make it more stealthy than others, loading malicious scripts from their servers into the page structure commonly found on many banks' websites. This allows them to obtain user login details and one-time passwords (OTP).
After obtaining the login credentials, the attackers proceed to siphon the funds and lock out the legitimate users from their accounts.
Active campaign
As IBM researchers explained, it all starts with a malware infection on the victim's endpoint. When the victim then visits a malicious site, the malware injects a new script tag which is then loaded into the browser and changes the content of the website. This allows the attackers to obtain the passwords and intercept multi-factor authentication codes and one-time passwords.
Typically, the researchers further explained, hackers will have the malware perform web injections directly on the web page. However, this method is more stealthy because static analysis checks do not flag the simpler loader script, allowing for dynamic content delivery. Additionally, the script resembles legitimate JavaScript Content Delivery Networks (CDN), making the campaign even more stealthy.
The operators can also change the behavior of the script by sending updates and instructions via a C2 server. It can inject phone number prompts, OTP tokens, throw error messages, or pretend to 'load' pages.
While IBM has not been able to determine exactly who is behind this campaign, it says it is “loosely” similar to DanaBot, a modular banking trojan first spotted in 2018 and recently spread via malicious Google search results.
IBM warns that the campaign is still active and advises caution when using online banking sites and apps.
Through BleepingComputer