In a widespread campaign detected by IBM Security Trusteer, a sophisticated JavaScript malware has been identified attempting to steal online banking credentials from over 40 financial institutions globally. This targeted activity, employing JavaScript web injections, has resulted in a minimum of 50,000 infected user sessions across North America, South America, Europe, and Japan.
The campaign, first discovered in March 2023, utilizes web injection modules with the aim of compromising popular banking applications. Security researcher Tal Langus noted that the threat actors’ likely intention is to intercept users’ credentials, subsequently gaining unauthorized access to and monetizing their banking information.
The attack chains involve the delivery of scripts from a threat actor-controlled server (“jscdnpack[.]com”), specifically targeting the common page structure of multiple banks. The malware, suspected to be delivered through phishing emails or malvertising, alters the login pages of targeted bank websites using obfuscated JavaScript to harvest credentials and one-time passwords (OTPs).
The malware’s behavior is dynamic, continuously querying the command-and-control (C2) server and adjusting its flow based on the obtained information. It sends data about the infected machine to the server, raising concerns about potential adaptations to target other banks in the future.
The server’s response determines the malware’s actions, allowing it to erase injection traces, insert fraudulent user interface elements for accepting OTPs, and display error messages claiming online banking services will be unavailable for 12 hours. This tactic aims to dissuade victims from logging in, providing threat actors with a window of opportunity to seize control of accounts and perform unauthorized actions.
While the exact origin of the malware is unknown, indicators of compromise (IoCs) suggest a possible connection to the DanaBot stealer and loader family. DanaBot is known for its use in spreading via malicious ads on Google Search and serving as an initial access vector for ransomware.
IBM emphasized the advanced capabilities of this malware, particularly its execution of man-in-the-browser attacks, dynamic communication, web injection methods, and adaptability based on server instructions and page state.
In related cybersecurity developments, Sophos uncovered a pig butchering scheme involving fraudulent decentralized finance (‘DeFi’) app sites, leading to cryptocurrency losses totaling nearly $2.9 million from 90 victims. Europol’s Internet Organized Crime Threat Assessment (IOCTA) highlighted investment fraud and business email compromise (BEC) fraud as prolific online schemes. Additionally, Group-IB identified 1,539 phishing websites impersonating postal operators, targeting users in 53 countries, and employing various evasion methods to enhance the effectiveness of their scam campaign.