IBM’s security team has identified a sophisticated malware campaign that commenced in March 2023, utilizing JavaScript web injections to target over 50,000 users across 40 banks in North America, South America, Europe, and Japan. The campaign, which has been in preparation since at least December 2022, operates by injecting malicious scripts from external servers, employing a stealthy strategy to evade detection. This approach includes loading scripts with externally hosted sources, making static analysis checks less likely to flag the loader script as malicious. The attackers, utilizing domains resembling legitimate JavaScript content delivery networks, can modify webpage content, intercept user credentials, and capture one-time passcodes (OTPs).
The malware campaign exhibits a unique and dynamic operational approach, constantly adjusting its behavior based on instructions from the command and control server. The script, with multiple operational states determined by a “mlink” flag, can execute specific data exfiltration actions, including prompting for phone numbers or OTP tokens, displaying error messages, or simulating page loading. IBM has identified loose connections between this campaign and DanaBot, a modular banking trojan circulating since 2018, further emphasizing the sophistication of the ongoing threat. The campaign’s association with DanaBot, known for spreading through malvertising, adds another layer of complexity, requiring heightened vigilance from users engaging in online banking activities.
As the campaign is still active, IBM recommends increased awareness and caution when using online banking portals and applications. The evolving nature of the threat, combined with its dynamic and stealthy tactics, underscores the importance of ongoing monitoring and cybersecurity measures to protect against potential data breaches and unauthorized transactions.
