The malware campaign exhibits a unique and dynamic operational approach, constantly adjusting its behavior based on instructions from the command and control server. The script, with multiple operational states determined by a “mlink” flag, can execute specific data exfiltration actions, including prompting for phone numbers or OTP tokens, displaying error messages, or simulating page loading. IBM has identified loose connections between this campaign and DanaBot, a modular banking trojan circulating since 2018, further emphasizing the sophistication of the ongoing threat. The campaign’s association with DanaBot, known for spreading through malvertising, adds another layer of complexity, requiring heightened vigilance from users engaging in online banking activities.
As the campaign is still active, IBM recommends increased awareness and caution when using online banking portals and applications. The evolving nature of the threat, combined with its dynamic and stealthy tactics, underscores the importance of ongoing monitoring and cybersecurity measures to protect against potential data breaches and unauthorized transactions.