Tal Langus, a security researcher from IBM Security Trusteer, has published an extensive analysis on the recent outbreak of JavaScript-based web injection attacks targeting financial institutions worldwide. This dangerous new malware campaign came into prominence in early 2023, infecting thousands of banking customers across various regions.
As per Langus’ research, the sophisticated JavaScript injection malware leverages malicious scripts injected into the browser to intercept user credentials and bypass two-factor authentication on online banking sites. Through dynamically generated web injections, the banking trojan is able to stealthily replicate and manipulate legitimate processes to facilitate cyber theft.
The campaign exhibits signs of sophistication associated with the infamous DanaBot, although definitive attribution remains unclear. It has affected over 40 banking applications and led to the compromise of 50,000 user sessions since December 2022 – showcasing an unprecedented scale of threat activity.
This post examines Langus’ revelations around the technology, targets, infrastructure, and methodology powering this rapidly evolving web injection attack against financial institutions. It analyses the malware’s modes of operation, integration of evasive techniques, dynamic server-side driven behavior, multi-stage infection routine and implications for security teams.
Understanding the mechanics of such cybersecurity threats is vital for banks to protect their data assets, brand reputation and customers. As attackers continue to innovate their tradecraft, adopting an intelligence-led security posture and resilient defense systems remains imperative.
Langus’ research offers illuminating insights into the attack chain and intricacies of this parasitic banking trojan.
The malicious code is not directly injected into the compromised web pages. Instead, a <script>
tag is injected into the HTML <head>
element, fetching the script from the attacker’s server. The initial request sends exfiltrated data like bot ID and flags as query parameters. The bot ID matches the infected computer’s name, indicating prior malware infection at the OS level.
The returned script is obfuscated into a single line with a decoder function. Two long strings are added before and after to conceal the code. At first glance, network traffic appears normal, with domains resembling legitimate CDNs.
The script checks if a major security vendor’s agent is present by searching for the keyword “adrum” in the URL. If found, it exits without executing.
Sample code to support the malware has Evasion Technique mechanism (Image Source: Security Intelligence )
Function patching changes built-in functions used to gather DOM and environment info. This removes evidence of the malware’s presence, helping evade detection.
The script has a client-server architecture, continuously querying the C2 and updating state flags. It relies on specific server responses to determine its injection actions, if any. This allows waiting for elements to load, retrying steps like overlay injection, or redirecting with a temporary error.
Even on page reloads, the server identifies the bot ID to continue where it left off. The injection is ineffective if the C2 server goes offline.
The script is executed in an anonymous function that creates an object holding configurations, flags, C2 details, etc. After initial requests and removing itself from the DOM, actions happen asynchronously in event handlers.
It checks for the targeted bank’s login button, updating the state on the C2. Then on an interval, it assigns a listener to steal credentials and handle them based on the flags. It can stop if expected elements don’t exist or exfiltrate the data gathered so far.
Based on the mlink
flag from the C2, different operations are possible:
Prompt to select a phone number for 2FA (mlink=2)
Inject input for the OTP token (mlink=3)
Display error that banking is unavailable (mlink=4)
Show fake “Loading” overlay (mlink=5)
Cleanup injected elements (mlink=6)
Combining the mlink
values and other flags allows diverse actions and data exchange between the script and C2 server.
This malware demonstrates sophisticated capabilities for man-in-the-browser attacks, adaptively injecting content and deceiving users based on dynamic C2 communication. Financial institutions and users should remain vigilant through security best practices to counter these threats. Don’t skip to check the original publish for complete deta
This invasive malware campaign operates through a systematic attack flow to steal online banking credentials. The operation commences by compromising the victim’s machine, followed by strategic content injection driven by continuous command-and-control communication. By adaptively deceiving users, injecting fake prompts, and misusing accessed credentials, this malware successfully bypasses security barriers to enable financial fraud. Here you see how this injection malware campaign works in a step-by-step process:
Initial Infection: The campaign begins with the initial malware infection at the operating system level, likely through phishing emails or drive-by downloads. This provides the bot ID, which is the infected computer’s name.
Inject Script Tag: The next stage injects a hidden <script>
tag into the banking web page’s HTML to retrieve the main malicious script from the attacker’s server. Information like the bot ID and flags are sent in the initial request.
Decode & Execute Script: The returned obfuscated script contains a decoder function to deobfuscate itself. It removes evidence of the malware from the DOM and executes asynchronously.
Query C2 Server: The script sends requests to the C2 server to check for instructions specific to the target bank, determined by page elements found. It continuously updates state flags based on responses.
Inject Content: According to the mlink
flag values from the C2, the script injects content like fake 2FA phone number prompts, OTP token fields, error messages or loading overlays.
Steal Credentials: Event listeners are added to steal credentials and OTP tokens entered into the injected fields when the login button is clicked.
Exfiltrate Data: The stolen credentials and tokens are sent to the C2 server by the script. Session tokens allow the server to maintain state across page reloads.
Adapt Flow: Based on further C2 responses, the script can retry failed steps like overlays, stop if expected elements don’t exist, redirect pages, or clean up injections before allowing normal login.
It is an adaptive, resilient attack flow driven by dynamic server-side communication to deceive users and bypass security mechanisms like 2FA. Continuous data exfiltration allows misuse of the stolen account credentials.
The malware exhibits sophisticated evasion techniques and threat capabilities. As cybersecurity threats continue to evolve, organizations must vigilantly monitor emerging tactics and educate users on risks. Implementing robust security layers, prompt incident response and fostering security awareness are key to defending institutions and customers from the growing menace of attacks like these JavaScript injection malware campaigns targeting the digital finance sector.
We hope this post helps you know about the new Web Injection Attacks on the Financial Institutions. Please share this post and help secure the digital world.Visit our website thesecmaster.com, and our social media page on Facebook, LinkedIn, Twitter, Telegram, Tumblr, Medium, and Instagram and subscribe to receive updates like this.
You may also like these articles:
Arun KL is a cybersecurity professional with 15+ years of experience in IT infrastructure, cloud security, vulnerability management, Penetration Testing, security operations, and incident response. He is adept at designing and implementing robust security solutions to safeguard systems and data. Arun holds multiple industry certifications including CCNA, CCNA Security, RHCE, CEH, and AWS Security.
“Knowledge Arsenal: Empowering Your Security Journey through Continuous Learning”
"Cybersecurity All-in-One For Dummies" offers a comprehensive guide to securing personal and business digital assets from cyber threats, with actionable insights from industry experts.
BurpGPT is a cutting-edge Burp Suite extension that harnesses the power of OpenAI's language models to revolutionize web application security testing. With customizable prompts and advanced AI capabilities, BurpGPT enables security professionals to uncover bespoke vulnerabilities, streamline assessments, and stay ahead of evolving threats.
PentestGPT, developed by Gelei Deng and team, revolutionizes penetration testing by harnessing AI power. Leveraging OpenAI's GPT-4, it automates and streamlines the process, making it efficient and accessible. With advanced features and interactive guidance, PentestGPT empowers testers to identify vulnerabilities effectively, representing a significant leap in cybersecurity.
Tenable BurpGPT is a powerful Burp Suite extension that leverages OpenAI's advanced language models to analyze HTTP traffic and identify potential security risks. By automating vulnerability detection and providing AI-generated insights, BurpGPT dramatically reduces manual testing efforts for security researchers, developers, and pentesters.
Microsoft Security Copilot is a revolutionary AI-powered security solution that empowers cybersecurity professionals to identify and address potential breaches effectively. By harnessing advanced technologies like OpenAI's GPT-4 and Microsoft's extensive threat intelligence, Security Copilot streamlines threat detection and response, enabling defenders to operate at machine speed and scale.