New Malware Campaign Impacts Over 40 Banks
In March 2023, IBM became aware of a new malware campaign that at the time had already targeted more than 40 banks in the Americas, Europe, and Japan. It was said to have compromised more than 50,000 individual user sessions, but that was then, so by now the figure will be much higher.
How the Attacks Unfolded
The researchers think this new malware campaign may have loose links to a modular banking trojan called DanaBot, which has been around since 2018, but this isn’t certain. They also don’t seem clear about how the initial breaches occurred, but it may be that some kind of social engineering element was involved.
That aside, the aim of the campaign, which is ongoing, is to steal banking customers’ credentials and exploit them for fraudulent purposes.
Malware Campaign Evasion Techniques
This is something of a mixed blessing because, while on the one hand, obfuscation techniques allow developers to protect intellectual property or proprietary algorithms, on the other, they allow malicious actors to hide what their malware is up to, or even that it is malware. In the case of these banking attacks, the malware was able to obfuscate the retrieved script, patch functions to remove malware traces and avoid execution if it detected security products being used.
This kind of dynamic behavior is troublesome. The malware was found to be constantly communicating with the command-and-control server and adjusting its actions based on the server’s instructions as well as the current page state, doing things like prompting for additional authentication or injecting error messages. This ability to adapt ‘on the fly’ makes it a challenging foe, and the addition of obfuscation compounds the difficulties of detecting and stopping it.
Dynamic analysis is better at revealing the behavior of malicious code, but as the researchers found in this case if the code knows that it’s likely to be analyzed, then it won’t run. The other problem with dynamic analysis is that it’s too costly, which makes it unsuitable for large-scale use.
Static analysis is simple, fast, and less resource intensive, and static detection tools can now use machine learning techniques to achieve good results. This would be the better option then, except that static analysis is susceptible to obfuscation.
JSRevealer may offer meaningful insights for further security research, but it hasn’t been developed into any kind of commercial offering.
The Need for Ongoing Vigilance
The sophistication of this kind of malware campaign is a timely reminder that banking service users need to ensure that their anti-malware software is kept up-to-date and that they stay vigilant when using online banking portals and mobile apps. They should also use two-factor authentication where possible and be extra cautious about responding to messages that claim to be from their banks, particularly when these messages appear to be urgent.
The researchers haven’t explained how the initial compromise is achieved in this kind of attack, but presumably, there is some element of social engineering involved.
From the perspective of financial institutions, the key takeaway from this malware campaign is the need to respond decisively. This ongoing attack poses significant risks and requires them to set up robust security measures to keep customers’ data and money safe and to avoid regulatory penalties.
With that in mind, a continuous web threat management (CTEM) solution like Reflectiz’s behavioral based approach should be an absolute minimum requirement for any financial services provider. Its ability to map all assets in the digital supply chain and continuously monitor for malicious code changes to open-source, third, and fourth-party apps empowers providing essential ongoing protection and will also help financial service providers to maintain regulatory compliance.