What Security Researcher Says About the Recent Web Injection Attacks on the Financial Institutions?

Tal Langus, a security researcher from IBM Security Trusteer, has published an extensive analysis on the recent outbreak of JavaScript-based web injection attacks targeting financial institutions worldwide. This dangerous new malware campaign came into prominence in early 2023, infecting thousands of banking customers across various regions.

As per Langus’ research, the sophisticated JavaScript injection malware leverages malicious scripts injected into the browser to intercept user credentials and bypass two-factor authentication on online banking sites. Through dynamically generated web injections, the banking trojan is able to stealthily replicate and manipulate legitimate processes to facilitate cyber theft.

The campaign exhibits signs of sophistication associated with the infamous DanaBot, although definitive attribution remains unclear. It has affected over 40 banking applications and led to the compromise of 50,000 user sessions since December 2022 – showcasing an unprecedented scale of threat activity.

This post examines Langus’ revelations around the technology, targets, infrastructure, and methodology powering this rapidly evolving web injection attack against financial institutions. It analyses the malware’s modes of operation, integration of evasive techniques, dynamic server-side driven behavior, multi-stage infection routine and implications for security teams.

Understanding the mechanics of such cybersecurity threats is vital for banks to protect their data assets, brand reputation and customers. As attackers continue to innovate their tradecraft, adopting an intelligence-led security posture and resilient defense systems remains imperative.

 

Technical Details About this JavaScript Injection Malware Campaign

Langus’ research offers illuminating insights into the attack chain and intricacies of this parasitic banking trojan.

Code Delivery

The malicious code is not directly injected into the compromised web pages. Instead, a <script> tag is injected into the HTML <head> element, fetching the script from the attacker’s server. The initial request sends exfiltrated data like bot ID and flags as query parameters. The bot ID matches the infected computer’s name, indicating prior malware infection at the OS level.

See also  15 Things You Should Do After Installing Windows 11 on Your PC

The returned script is obfuscated into a single line with a decoder function. Two long strings are added before and after to conceal the code. At first glance, network traffic appears normal, with domains resembling legitimate CDNs.

Evasion Techniques

The script checks if a major security vendor’s agent is present by searching for the keyword “adrum” in the URL. If found, it exits without executing.

Sample code to support the malware has Evasion Technique mechanism
Sample code to support the malware has Evasion Technique mechanism (Image Source: Security Intelligence )
Function patching changes built-in functions used to gather DOM and environment info. This removes evidence of the malware’s presence, helping evade detection.

Dynamic Nature

The script has a client-server architecture, continuously querying the C2 and updating state flags. It relies on specific server responses to determine its injection actions, if any. This allows waiting for elements to load, retrying steps like overlay injection, or redirecting with a temporary error.

Even on page reloads, the server identifies the bot ID to continue where it left off. The injection is ineffective if the C2 server goes offline.

Operations

The script is executed in an anonymous function that creates an object holding configurations, flags, C2 details, etc. After initial requests and removing itself from the DOM, actions happen asynchronously in event handlers.

It checks for the targeted bank’s login button, updating the state on the C2. Then on an interval, it assigns a listener to steal credentials and handle them based on the flags. It can stop if expected elements don’t exist or exfiltrate the data gathered so far.

Based on the mlink flag from the C2, different operations are possible:

  • Prompt to select a phone number for 2FA (mlink=2)
  • Inject input for the OTP token (mlink=3)
  • Display error that banking is unavailable (mlink=4)
  • Show fake “Loading” overlay (mlink=5)
  • Cleanup injected elements (mlink=6)

Combining the mlink values and other flags allows diverse actions and data exchange between the script and C2 server.

This malware demonstrates sophisticated capabilities for man-in-the-browser attacks, adaptively injecting content and deceiving users based on dynamic C2 communication. Financial institutions and users should remain vigilant through security best practices to counter these threats. Don’t skip to check the original publish for complete deta

How Does This Injection Malware Campaigns Works?

This invasive malware campaign operates through a systematic attack flow to steal online banking credentials. The operation commences by compromising the victim’s machine, followed by strategic content injection driven by continuous command-and-control communication. By adaptively deceiving users, injecting fake prompts, and misusing accessed credentials, this malware successfully bypasses security barriers to enable financial fraud. Here you see how this injection malware campaign works in a step-by-step process:

  1. Initial Infection: The campaign begins with the initial malware infection at the operating system level, likely through phishing emails or drive-by downloads. This provides the bot ID, which is the infected computer’s name.
  2. Inject Script Tag: The next stage injects a hidden <script> tag into the banking web page’s HTML to retrieve the main malicious script from the attacker’s server. Information like the bot ID and flags are sent in the initial request.
  3. Decode & Execute Script: The returned obfuscated script contains a decoder function to deobfuscate itself. It removes evidence of the malware from the DOM and executes asynchronously.
  4. Query C2 Server: The script sends requests to the C2 server to check for instructions specific to the target bank, determined by page elements found. It continuously updates state flags based on responses.
  5. Inject Content: According to the mlink flag values from the C2, the script injects content like fake 2FA phone number prompts, OTP token fields, error messages or loading overlays.
  6. Steal Credentials: Event listeners are added to steal credentials and OTP tokens entered into the injected fields when the login button is clicked.
  7. Exfiltrate Data: The stolen credentials and tokens are sent to the C2 server by the script. Session tokens allow the server to maintain state across page reloads.
  8. Adapt Flow: Based on further C2 responses, the script can retry failed steps like overlays, stop if expected elements don’t exist, redirect pages, or clean up injections before allowing normal login.

It is an adaptive, resilient attack flow driven by dynamic server-side communication to deceive users and bypass security mechanisms like 2FA. Continuous data exfiltration allows misuse of the stolen account credentials.

Leave a Reply

Your email address will not be published. Required fields are marked *