A new JavaScript malware has been seen trying to steal users’ online banking account credentials as part of a campaign targeting more than 40 financial institutions around the world.
This active cluster uses JavaScript web injection and is estimated to have resulted in at least 50,000 compromised user sessions across North and South America, Europe and Japan.
IBM Security Trusteer said it discovered the activity in March 2023.
Security researcher Tal Langus said: “Threat actors using network injection modules are likely to compromise popular banking applications. Once the malware is installed, it will intercept the user’s credentials in order to access their banking information and potentially Monetize it.”
The attack chain is characterized by the use of a script loaded from a server controlled by the threat actor (“jscdnpack[.]com”), targeting a common page structure across multiple banks. It is suspected that the malware was delivered to the target through other means, such as via phishing emails or malicious ads.
When victims visit the bank’s website, the login page is altered to include malicious JavaScript that can obtain credentials and one-time passwords (OTPs). The script was obfuscated to hide its true intent.
From user to administrator: Learn how hackers gain total control
Learn the secret tactics hackers use to become administrators and how to detect and stop it before it’s too late. Register now for our webinar.
Join now
“This web injection does not target banks with different login pages, but it does send data about the compromised machine to the server and can be easily modified to target other banks,” Langes said.
“The script’s behavior is highly dynamic, constantly querying the command and control (C2) server and the current page structure, and adjusting its processes based on the information obtained.”
The server’s response determines its next steps, allowing it to clear traces of the injection, bypass security by inserting fraudulent user interface elements to accept OTPs, and introduce an error message stating that online banking services will not be available for a specific user . The time period is 12 hours.
IBM says this is to prevent victims from logging into their accounts, providing a window of opportunity for threat actors to seize control of the account and perform unauthorized actions.
While the exact origin of the malware is unclear, indicators of compromise (IoCs) suggest it may be related to a known stealer and loader family called DanaBot, which has been distributed via malicious ads on Google Search. And serves as the initial access vector for the ransomware.
“This sophisticated threat demonstrates advanced capabilities, specifically to perform man-in-the-browser attacks through dynamic communications, network injection methods, and the ability to adapt based on server commands and the current page state,” Langus said.
Meanwhile, Sophos further revealed a hog-slaughter scheme that lured potential targets into investing in bogus liquidity mining services, as well as a series of wider scams that, as of November this year, had netted perpetrators 15 of 90 victims of cryptocurrency netting nearly $2.9 million.
“They appear to be run by three different threat actors using the same fraudulent decentralized finance (‘DeFi’) application website, suggesting they are part of or affiliated with a single organization [Chinese] Organized crime gangs,” said security researcher Sean Gallagher.
Investment fraud and business email compromise (BEC) scams remain the most prolific online fraud schemes, according to data shared by Europol in its Internet Organized Crime Threat Assessment (IOCTA) earlier this week.
“A concerning threat surrounding investment fraud is its use in conjunction with other fraud schemes targeting the same victims,” the agency said.
“Investment scams are sometimes related to romance scams: criminals slowly build a relationship of trust with their victims and then convince them to invest their savings in fraudulent cryptocurrency trading platforms, resulting in huge financial losses.”
Relatedly, the cybersecurity company Group-IB stated that since November 2023, it has identified 1,539 phishing websites impersonating postal operators and express delivery companies. The websites are suspected to have been created for a single scam.
In these attacks, users receive text messages imitating well-known postal services and are prompted to visit a fake website to enter personal and payment details, citing urgency or delivery failure.
The operation was also known for employing various evasive methods to fly under the radar. This includes restricting access to scam websites based on geolocation, ensuring they only run on specific devices and operating systems, and shortening their survival time.
“The campaign affected postal brands in 53 countries,” Group-IB said. “The majority of detected phishing pages targeted Germany (17.5%), Poland (13.7%), Spain (12.5%), the United Kingdom ( 4.2%), Turkey (3.4%) and Singapore (3.1%).”