Rewterz Threat Update – 50,000 Users of Multiple Banks Worldwide Targeted by New JavaScript Malware

Severity

High

Analysis Summary

A campaign involving a new JavaScript malware has been discovered that is designed to steal users’ online banking account credentials and has targeted more than 40 financial institutions worldwide. This activity cluster was detected in March 2023, which employs JavaScript web injection and is estimated to have caused about 50,000 infected user sessions in North America, South America, Japan, and Europe.

The goal of this campaign is to infect popular banking apps and steal the users’ credentials using the web injection module to install the malware into victim devices to monetize the stolen banking information. The attack chains utilize scripts that are loaded from the threat actor-controlled server and specially target a page structure that common among several banks. The malware is suspected to be distributed to targets by other means such as malvertising or phishing emails.

When an unsuspecting user visits a bank website, the login page is changed to incorporate malicious, obfuscated JavaScript that can harvest credentials and one-time passwords (OTPs). The web injection doesn’t target banks with cloned login pages, but it exfiltrates information about the infected machine to the server and can be easily edited to target other banks. The script behaves dynamically by constantly querying both the current page structure and the command-and-control (C2) server, adjusting its flow based on the data that is obtained.

The next action depends on the response from the server that allows it to erase traces of the injections to make it difficult to detect and insert fake user interface elements to accept OTPs for bypassing security and show an error message that says the online banking services will be down for 12 hours. The security researchers called it an attempt to discourage the victims from logging into their accounts and making it easier for the attackers to seize control without any disruptions and perform malicious actions.

The exact origins of the malware are not known currently, but there seems to be a connection to a known stealer family called DanaBot that is usually spread using malicious ads on Google Search and is used as an initial access vector for ransomware. This threat displays various sophisticated capabilities in web injection methods, executing man-in-the-browser attacks utilizing its dynamic communication, and the ability to adapt based on commands from the C2 server and current page status.

The development comes after researchers brought a new scheme to light that lures potential targets into investing in a fraudulent liquidity mining service, which resulted in uncovering a wide array of scams through which the attackers have made about $2.9 million worth of cryptocurrency in 2023 from 90 victims. These scams are run by three separate threat groups using similar fake decentralized finance (DeFi) websites, suggesting that they are linked to a single Chinese criminal group.

Impact

• Credential Theft
• Financial Loss

Remediation

• Educate employees about phishing emails, social engineering tactics, and safe online behavior. Effective training can reduce the likelihood of users inadvertently initiating an attack.
• Regularly back up critical data and systems to offline or isolated storage. Test the backup restoration process to ensure that it is effective in case of an attack.
• Deploy strong endpoint protection solutions that include advanced threat detection, behavior monitoring, and real-time protection against malware and ransomware.
• Employ robust email filtering and anti-phishing solutions to detect and prevent malicious attachments and links from reaching user inboxes.
• Thoroughly assess third-party vendors and software before integrating them into your environment. Ensure they have strong security practices and adhere to cybersecurity standards.
• Regularly scan your device to make sure it is clean of malware and adware.
• Ensure that all systems, software, and applications are up-to-date with the latest security patches. Regularly check for and apply updates to eliminate known vulnerabilities that attackers could exploit.