What Security Researcher Says About the Recent Web Injection Attacks on the Financial Institutions?

Tal Langus, a security researcher from IBM Security Trusteer, has published an extensive analysis on the recent outbreak of JavaScript-based web injection attacks targeting financial institutions worldwide. This dangerous new malware campaign came into prominence in early 2023, infecting thousands of banking customers across various regions.

As per Langus’ research, the sophisticated JavaScript injection malware leverages malicious scripts injected into the browser to intercept user credentials and bypass two-factor authentication on online banking sites. Through dynamically generated web injections, the banking trojan is able to stealthily replicate and manipulate legitimate processes to facilitate cyber theft.

The campaign exhibits signs of sophistication associated with the infamous DanaBot, although definitive attribution remains unclear. It has affected over 40 banking applications and led to the compromise of 50,000 user sessions since December 2022 – showcasing an unprecedented scale of threat activity.

This post examines Langus’ revelations around the technology, targets, infrastructure, and methodology powering this rapidly evolving web injection attack against financial institutions. It analyses the malware’s modes of operation, integration of evasive techniques, dynamic server-side driven behavior, multi-stage infection routine and implications for security teams.

Understanding the mechanics of such cybersecurity threats is vital for banks to protect their data assets, brand reputation and customers. As attackers continue to innovate their tradecraft, adopting an intelligence-led security posture and resilient defense systems remains imperative.

Technical Details About this JavaScript Injection Malware Campaign

Langus’ research offers illuminating insights into the attack chain and intricacies of this parasitic banking trojan.

Code Delivery

The malicious code is not directly injected into the compromised web pages. Instead, a <script> tag is injected into the HTML <head> element, fetching the script from the attacker’s server. The initial request sends exfiltrated data like bot ID and flags as query parameters. The bot ID matches the infected computer’s name, indicating prior malware infection at the OS level.

The returned script is obfuscated into a single line with a decoder function. Two long strings are added before and after to conceal the code. At first glance, network traffic appears normal, with domains resembling legitimate CDNs.

Evasion Techniques

The script checks if a major security vendor’s agent is present by searching for the keyword “adrum” in the URL. If found, it exits without executing.

Sample code to support the malware has Evasion Technique mechanism (Image Source: Security Intelligence )

Function patching changes built-in functions used to gather DOM and environment info. This removes evidence of the malware’s presence, helping evade detection.

Dynamic Nature

The script has a client-server architecture, continuously querying the C2 and updating state flags. It relies on specific server responses to determine its injection actions, if any. This allows waiting for elements to load, retrying steps like overlay injection, or redirecting with a temporary error.

Even on page reloads, the server identifies the bot ID to continue where it left off. The injection is ineffective if the C2 server goes offline.

Operations

The script is executed in an anonymous function that creates an object holding configurations, flags, C2 details, etc. After initial requests and removing itself from the DOM, actions happen asynchronously in event handlers.

It checks for the targeted bank’s login button, updating the state on the C2. Then on an interval, it assigns a listener to steal credentials and handle them based on the flags. It can stop if expected elements don’t exist or exfiltrate the data gathered so far.

Based on the mlink flag from the C2, different operations are possible:

Combining the mlink values and other flags allows diverse actions and data exchange between the script and C2 server.

This malware demonstrates sophisticated capabilities for man-in-the-browser attacks, adaptively injecting content and deceiving users based on dynamic C2 communication. Financial institutions and users should remain vigilant through security best practices to counter these threats. Don’t skip to check the original publish for complete deta

How Does This Injection Malware Campaigns Works?

This invasive malware campaign operates through a systematic attack flow to steal online banking credentials. The operation commences by compromising the victim’s machine, followed by strategic content injection driven by continuous command-and-control communication. By adaptively deceiving users, injecting fake prompts, and misusing accessed credentials, this malware successfully bypasses security barriers to enable financial fraud. Here you see how this injection malware campaign works in a step-by-step process:

It is an adaptive, resilient attack flow driven by dynamic server-side communication to deceive users and bypass security mechanisms like 2FA. Continuous data exfiltration allows misuse of the stolen account credentials.

Bottom Line

The malware exhibits sophisticated evasion techniques and threat capabilities. As cybersecurity threats continue to evolve, organizations must vigilantly monitor emerging tactics and educate users on risks.  Implementing robust security layers, prompt incident response and fostering security awareness are key to defending institutions and customers from the growing menace of attacks like these JavaScript injection malware campaigns targeting the digital finance sector.

We hope this post helps you know about the new Web Injection Attacks on the Financial Institutions. Please share this post and help secure the digital world.Visit our website thesecmaster.com, and our social media page on Facebook, LinkedIn, Twitter, Telegram, Tumblr, Medium, and Instagram and subscribe to receive updates like this.