In March 2023, IBM became aware of a new malware campaign that at the time had already targeted more than 40 banks in the Americas, Europe, and Japan. It was said to have compromised more than 50,000 individual user sessions, but that was then, so by now the figure will be much higher.
How the Attacks Unfolded
The method of attack is via JavaScript web injections. The malware targets a specific page structure that many banks use. When it detects the right conditions, such as a certain keyword being used or a login button, it injects a script tag to retrieve an external script from the attacker’s server. This installs event listeners that steal user credentials and one-time password (OTP) tokens, passing them on to the malicious command-and-control (C2) servers.
The researchers think this new malware campaign may have loose links to a modular banking trojan called DanaBot, which has been around since 2018, but this isn’t certain. They also don’t seem clear about how the initial breaches occurred, but it may be that some kind of social engineering element was involved.
That aside, the aim of the campaign, which is ongoing, is to steal banking customers’ credentials and exploit them for fraudulent purposes.
Malware Campaign Evasion Techniques
JavaScript is the most popular scripting language on the web, and it’s commonly used in mobile app development with cross-platform app frameworks that help to keep development costs down. It’s popular because it’s easy to use and because it’s backed by a large online support community.
Its mass adoption makes JavaScript an attractive target to threat actors who like the fact that it can be easily obfuscated. The techniques for doing this don’t change what the code does, but they do make it harder for humans to understand its underlying purpose.
This is something of a mixed blessing because, while on the one hand, obfuscation techniques allow developers to protect intellectual property or proprietary algorithms, on the other, they allow malicious actors to hide what their malware is up to, or even that it is malware. In the case of these banking attacks, the malware was able to obfuscate the retrieved script, patch functions to remove malware traces and avoid execution if it detected security products being used.
This kind of dynamic behavior is troublesome. The malware was found to be constantly communicating with the command-and-control server and adjusting its actions based on the server’s instructions as well as the current page state, doing things like prompting for additional authentication or injecting error messages. This ability to adapt ‘on the fly’ makes it a challenging foe, and the addition of obfuscation compounds the difficulties of detecting and stopping it.
JSRevealer
One 2021 research paper has offered some hope of dealing with obfuscation more effectively. It looks at the effectiveness of a tool the researchers developed, JSRevealer, and describes it as, ‘…a robust, effective, scalable, and interpretable detector for identifying malicious JavaScript.’ It was developed to address the challenges of reverse engineering obfuscated JavaScript code, with techniques often producing many false positives and false negatives in detection results.
Many methods have been proposed for detecting malicious JavaScript, and these can be grouped into two main types of analysis: static and dynamic.
Dynamic analysis is better at revealing the behavior of malicious code, but as the researchers found in this case if the code knows that it’s likely to be analyzed, then it won’t run. The other problem with dynamic analysis is that it’s too costly, which makes it unsuitable for large-scale use.
Static analysis is simple, fast, and less resource intensive, and static detection tools can now use machine learning techniques to achieve good results. This would be the better option then, except that static analysis is susceptible to obfuscation.
Researchers developed JSRevealer in light of this. The tool employs a novel method to reveal the essential features related to the semantics of JavaScript code, and its approach helps to reduce the impact of the disguised and redundant features extracted by static analysis.
In comparative experiments with four other state-of-the-art malicious JavaScript detection tools, JSRevealer performed very well. It achieved an average F1 score of 84.8% on data disguised by different obfuscators. This score is higher than those achieved by the CUJO, ZOZZLE, JAST, and JSTAP detection tools by 21.6%, 22.3%, 18.7%, and 22.9% respectively.
JSRevealer may offer meaningful insights for further security research, but it hasn’t been developed into any kind of commercial offering.
The Need for Ongoing Vigilance
The sophistication of this kind of malware campaign is a timely reminder that banking service users need to ensure that their anti-malware software is kept up-to-date and that they stay vigilant when using online banking portals and mobile apps. They should also use two-factor authentication where possible and be extra cautious about responding to messages that claim to be from their banks, particularly when these messages appear to be urgent.
The researchers haven’t explained how the initial compromise is achieved in this kind of attack, but presumably, there is some element of social engineering involved.
From the perspective of financial institutions, the key takeaway from this malware campaign is the need to respond decisively. This ongoing attack poses significant risks and requires them to set up robust security measures to keep customers’ data and money safe and to avoid regulatory penalties.
With that in mind, a continuous web threat management (CTEM) solution like Reflectiz’s behavioral based approach should be an absolute minimum requirement for any financial services provider. Its ability to map all assets in the digital supply chain and continuously monitor for malicious code changes to open-source, third, and fourth-party apps empowers providing essential ongoing protection and will also help financial service providers to maintain regulatory compliance.
Subscribe to our newsletter
Stay updated with the latest news, articles, and insights from Reflectiz.
Your Website looks great!
But what’s happening behind the scenes?
Discover your website blind spots and vulnerabilities before it’s too late!