Web Injection Campaign Targets 40 Banks, 50,000 Users – Source: securityboulevard.com

Dozens of banks around the word are in the crosshairs of a threat group using JavaScript web injections to steal users’ bank account credentials.

The campaign, which the hackers have been preparing for since December 2022 and which emerged in March, has targeted 40 banks in North and South America, Europe, and Japan, and has tried to steal banking credentials and other data of more than 50,000 people, according to IBM’s Security Trustee unit.

“In this new campaign, threat actors’ intention with the web injection module is likely to compromise popular banking applications and, once the malware is installed, intercept the users’ credentials in order to then access and likely monetize their banking information,” IBM security researcher Tal Langus wrote in a report this week.

There are indicators that the campaign may be linked to DanaBot, a banking trojan that’s used to steal financial information. According to analysts at cybersecurity firm Flashpoint, the third version of DanaBot rolled out in July on Exploit, a Russian-language forum.

Web injection attacks are nothing new. Also known as man-in-the-browser attack, bad actors inject malicious code into a web page that, when viewed by a person, can steal credentials and other information.

In this case, the threat actors bought malicious domains in December 2022 and starting running the campaigns soon after, according to IBM. The campaigns are still underway, Langus wrote.

A Different Take

In an unusual twist, the JavaScript malware is housed on the hackers’ server and loaded onto the victim’s browser.

“In the past, we observed malware that directly injected the code into the compromised web page,” Langus wrote. “However, in this campaign, the malicious script is an external resource hosted on the attacker’s server. It is retrieved by injecting a script tag into the head element of the page’s HTML document, with the src attribute set to the malicious domain.”

It’s unclear how the malware initially infects the victim’s device, though it could be through such avenues as phishing or malvertising.

If a victim goes to a compromised page on a bank’s website, the highly obfuscated malicious code changes the login page, enabling it to steal credentials and one-time passwords (OTPs).

Evading Detection

The threat actors running the script use several techniques to evade detection. The malware is intentionally obfuscated and returned as a single line of code that include both the encoded script string as well as small decoding script.

A large string is added at both the beginning and end of the decoder code to conceal it and the encoded string is passed onto a function builder that’s in an anonymous function and executed quickly, which executes the malicious script.

“At first glance, the network traffic appears normal, and the domain resembles a legitimate content delivery network (CDN) for a JavaScript library,” he wrote. “In addition, the injection looks for a popular security vendor’s JavaScript agent by searching for the keyword ‘adrum’ in the current page URL. If the word exists, the injection doesn’t run.”

There also is a patching function that also removes evidence of the malware.

Multiple Functions

The dynamic script continuously queries the command-and-control (C2) server and the page structure, changing its actions based on the responses.

“The script relies on receiving a specific response from the server, which determines the type of injection it should execute, if any. This type of communication greatly enhances the resilience of the web injection,” Langus wrote. “The structure is similar to a client-server architecture, where the script maintains a continuous flow of updates to the server while requesting further instructions.”

A “mlink” flag sent by the C2 server based on the initial request, according to IBM. The mlink flag determines the steps the malicious script takes, from prompts for OTP phone numbers or tokens to injecting a page loading overlay that appears to look like the original website’s loading animation to altering to displaying messages about an error on the bank’s site.

The error message indicates “that online banking services will be unavailable for a duration of 12 hours,” Langus wrote. “This tactic aims to discourage the victim from attempting to access their account, providing the threat actor with an opportunity to perform uninterrupted actions.”

The script also is persistent. The threat actor-controlled server keeps identifying the compromised device by the bot ID, so the injection will continue from its previously executed step even if the user tries to refresh or reload the page.

He warned that the “malware represents a significant danger to the security of financial institutions and their customers.”

“This sophisticated threat showcases advanced capabilities, particularly in executing man-in-the-browser attacks with its dynamic communication, web injection methods and the ability to adapt based on server instructions and current page state,” Langus wrote.