Why keeping your PC secure and free of malware remains paramount
The code has been spotted attacking customers of dozens of financial orgs in North America, South America, Europe, and Japan, IBM's Tal Langus reported this week.
When the requested banking page "contains a certain keyword and a login button with a specific ID present, new malicious content is injected," Langus explained. "Credential theft is executed by adding event listeners to this button, with an option to steal a one-time password (OTP) token with it."
The script is fairly smart: it communicates with a remote command-and-control (C2) server, and removes itself from the DOM tree – deletes itself from the login page, basically – once it's done its thing, which makes it tricky to detect and analyze.
The malware can perform a series of nefarious actions, and these are based on an "mlink" flag the C2 sends. In total, there are nine different actions that the malware can perform depending on the "mlink" value, we're told.
These include injecting a prompt for the user's phone number or two-factor authentication token, which the miscreants can use with the intercepted username and password to access the victim's bank account and steal their cash.
- Hundreds of thousands of dollars in crypto stolen after Ledger code poisoned
- Money-grubbing crooks abuse OAuth – and baffling absence of MFA – to do financial crimes
- Philippines, South Korea, Interpol cuff 3,500 suspected cyber scammers, seize $300M
- Millions of Xfinity customers' info, hashed passwords feared stolen in cyberattack
The script can also inject an error message on the login page that says the banking services are unavailable for 12 hours. "This tactic aims to discourage the victim from attempting to access their account, providing the threat actor with an opportunity to perform uninterrupted actions," Langus said.
Other actions include injecting a page loading overlay as well as scrubbing any injected content from the page.
"This sophisticated threat showcases advanced capabilities, particularly in executing man-in-the-browser attacks with its dynamic communication, web injection methods and the ability to adapt based on server instructions and current page state," Langus warned. "The malware represents a significant danger to the security of financial institutions and their customers."
He also urged banking customers to "practice vigilance" with their banking apps. This includes using (and not re-using) strong passwords, not downloading software from unknown sources, and reporting any odd behavior to the banks. See the above-linked write-up for more technical info and some indicators of compromise, if you want to look out for this particular software nasty. ®
PS: AT&T Alien Labs this week drilled into information-stealing malware dubbed JaskaGO, which is written in Go and said to pose "a severe threat to both Windows and macOS operating systems." The code uses multiple techniques to persist on an infected computer, and can siphon data including login credentials stored by browsers and attack cryptocurrency wallets. The telco also shared indicators of compromise if you want to seek and destroy that malware.