Over 50,000 users from 40+ banks worldwide under the active target of a new JavaScript Web Injection malware campaign

Continue reading
Web injections, a favored technique among banking trojans, continue to pose a persistent threat in the realm of cyberattacks. In March 2023, IBM Security Trusteer disclosed a new malware campaign utilizing JavaScript web injections. This campaign, both widespread and evasive, has raised concerns due to potential connections with DanaBot.
Since the beginning of 2023, over 50,000 infected user sessions have been identified, impacting more than 40 banks across North America, South America, Europe, and Japan. The malicious injections manipulate data exchanges, compromising sensitive information.
This nefarious campaign aims to compromise popular banking applications. Once the malware is installed, threat actors intercept users' credentials to monetize banking information. Our analysis reveals a strategic approach, shedding light on the techniques employed.
Security researchers discovered that threat actors purchased malicious domains in December 2022, launching campaigns shortly after. As of this blog's publication, multiple sessions continue communicating with these active domains.
In a departure from traditional methods, the malicious script in this campaign is not directly injected into compromised web pages. Instead, it serves as an external resource hosted on the attacker's server. This strategic shift enhances the attackers' ability to conceal their actions.

The malicious script employs intentional obfuscation, concealing its true nature. By adding large strings to the decoding script, the attackers make manual code inspection challenging. The injected code resembles a legitimate content delivery network (CDN), further camouflaging its malicious intent.
The injection also employs function patching, altering built-in functions related to the document object model (DOM) and JavaScript environment. This meticulous approach erases any trace of the malware, contributing to its stealth.
The script's behavior is dynamic, continuously querying both the command and control (C2) server and the current page structure. This client-server architecture facilitates a constant flow of updates, enhancing the resilience of the web injection.
Executed within an anonymous function, the script creates an object encompassing various fields and helper functions. This object includes the initial configuration, such as bot ID and server details. The script sends requests to the server, adjusting its configuration dynamically based on the responses received.
// JavaScript code snippet illustrating script flow
// ...The script operates in various states, dictated by the "mlink" variable. For instance, when "mlink" is 2, the script prompts the user to choose a phone number for two-factor authentication (2FA). In contrast, when "mlink" is 4, it displays an error message, discouraging the user from accessing their account.
// JavaScript code snippet illustrating potential operational states
// ...The injected script's intentional obfuscation, coupled with its dynamic behavior, makes it a formidable threat. By continuously communicating with the C2 server and adapting its actions based on responses, the injection maintains resilience against detection and eradication.
The script sends updates to the server, logging information about its actions, success or failure status, and various flags indicating the current state. This continuous communication, akin to a client-server dance, ensures the injection adapts to the evolving landscape.
// JavaScript code snippet illustrating communication with C2 server
// ...The script patiently waits for specific elements to load, retries steps based on server instructions, and even redirects to the login page strategically. Its adaptability relies on specific responses from the server, ensuring the injection process remains effective.
Understanding the intricacies of this threat is paramount for effective mitigation. Institutions must bolster their cybersecurity measures, incorporating advanced threat detection and response mechanisms. Regular updates to security protocols and employee awareness training are critical components in the fight against such sophisticated campaigns.

A single ClickFix infrastructure is pushing StealC, Amatera, Remus, NetSupport, CastleLoader and a new loader called ResiLoader through fake Google/Cloudflare checks.