Summary:
A dangerous new malware campaign has emerged, posing a significant threat to the security of financial institutions globally. Security researchers recently uncovered this campaign, revealing a sophisticated use of JavaScript web injections. The malicious injections, which exhibit evasion techniques and dynamic communication with command-and-control servers, target popular banking applications. The primary objective of the threat actors is to compromise user credentials, potentially leading to unauthorized access and monetization of sensitive banking information.
The web injection employed in this campaign demonstrates a high level of sophistication. The malware utilizes JavaScript to inject malicious content into specific pages shared across multiple banks. Credential theft is executed by manipulating the login process, with a focus on capturing one-time passwords (OTPs). Notably, the injection does not limit itself to a fixed set of banks, as it possesses the capability to adapt and target other financial institutions. The code delivery mechanism involves fetching an obfuscated script from the attacker's server, concealing its malicious nature by mimicking legitimate content delivery networks (CDNs). Evasion techniques include intentional obfuscation, dynamic adjustments to circumvent security products, and function patching to erase traces of the malware from the session. The dynamic web injection employs a client-server architecture, continuously querying the command-and-control server for updates, enhancing the resilience of the attack. The script's behavior is adaptive, adjusting its flow based on server instructions and the current page state. Various operational states involve actions such as prompting users for 2FA, injecting OTP fields, simulating online banking unavailability, and concealing malicious actions behind loading overlays. The combination of these techniques makes this malware campaign a formidable threat, particularly in executing man-in-the-browser attacks.
This malware campaign represents a significant threat to the security of financial institutions and their customers, showcasing advanced capabilities in executing man-in-the-browser attacks. The dynamic communication, sophisticated web injection methods, and adaptability based on server instructions make it a formidable adversary. Users are urged to exercise vigilance when using banking apps, report suspicious activities, refrain from downloading software from unknown sources, and adhere to best practices for password and email security. Organizations must implement robust security measures and stay informed about emerging malware to effectively counteract these evolving threats.
Threat Profile:
References:
The following reports contain further technical details:
https://www.theregister.com/2023/12/20/credentialstealing_malware_infects_50k_banking/