This new malware campaign stole the banking details of 50,000 people - and it's still going after new victims, so be careful

News
By Sead Fadilpašić
published

Experts warn the campaign is still active, so watch out

Trojan
(Image credit: Iaremenko Sergii / Shutterstock)

A new malware campaign operating in the wild right now has so far captured sensitive banking data of more than 50,000 users in 40 banks around the world, experts have warned. 

Cybersecurity researchers from IBM said the campaign deploys unusual tactics that make it stealthier than others, loading malicious scripts from their servers into the page structure that’s commonly found on many banks’ websites. That allows them to grab user login credentials and one-time passwords (OTP). 

After obtaining the login information, the attackers proceed to siphon the funds and lock the legitimate users out of their accounts.

Active campaign

As IBM’s researchers explained, it all starts with a malware infection on the victim’s endpoint. After that, when the victim visits a malicious site, the malware will inject a new script tag which is then loaded into the browser and modifies the website’s content. That allows the attackers to grab the passwords and intercept multi-factor authentication codes and one-time passwords.

Usually, the researchers further explained, hackers will have the malware perform web injections directly on the web page. However, this method is stealthier as static analysis checks won't flag the simpler loader script, allowing for dynamic content delivery. Besides, the script resembles legitimate JavaScript content delivery networks (CDN), which further adds to the campaign’s stealthiness. 

The operators can also change the script’s behavior, by sending updates and instructions via a C2 server. It can inject prompts for phone numbers, OTP tokens, prompt error messages, or pretend to be “loading” pages. 

While IBM wasn’t able to determine exactly who is behind this campaign, it says that it “loosely” resembles DanaBot, a modular banking trojan first spotted in 2018, and recently observed being distributed via malicious Google Search results. 

IBM warns that the campaign is still active and advises caution when using online banking sites and apps.

Via BleepingComputer

More from TechRadar Pro

Sead Fadilpašić

Sead is a seasoned freelance journalist based in Sarajevo, Bosnia and Herzegovina. He writes about IT (cloud, IoT, 5G, VPN) and cybersecurity (ransomware, data breaches, laws and regulations). In his career, spanning more than a decade, he’s written for numerous media outlets, including Al Jazeera Balkans. He’s also held several modules on content writing for Represent Communications.