IBM Warns of JavaScript Injections Targeting Bank Accounts

Spread of Malicious Software Using JavaScript Web Injections Revealed

Yesterday, cybersecurity researchers from IBM published a report about a campaign that has been identified in the spread of malicious software. This campaign utilizes JavaScript web injections to steal banking data from 40 banks across North and South America, Europe, and Japan.

The findings from the experts indicate that the campaign was prepared as early as December 2022 when the attackers purchased harmful domains used in the attacks. However, the campaign was only discovered in March of this year. Unfortunately, over 50,000 users have already fallen victim to the hackers.

The attacks are executed through JavaScript scripts that are loaded from the attackers’ servers. These attacks specifically target a common page structure found in many banks. The ultimate objective is to intercept user credentials and disposable passwords (OTP) for accessing banking systems, enabling the hackers to gain full control over the victims’ accounts and carry out unauthorized transactions.

According to IBM, the initial infection can occur through fraudulent advertising or phishing techniques. The malware then inserts a special script tag into the victim’s browser, leading to an external script. This approach increases the attack’s secrecy since simple script loaders are less likely to be flagged as malicious.

The final malicious script is also disguised. In this particular campaign, the hackers utilized legitimate delivery networks for JavaScript content. They used domains similar to “CDNJS [.] Com” and “Unpkg [.] Com” to evade detection. Additionally, the script checks for the presence of certain antivirus products on the victim’s system to further avoid detection.

A notable aspect of the script is its ability to dynamically alter its behavior based on instructions received from the C2 server, allowing for various operational conditions.

During their investigation, the researchers at IBM identified a connection between this campaign and Danabot, a modular banking Trojan that has been distributed since 2018. IBM warns

/Reports, release notes, official announcements.