Web injections are back on the rise: 40+ banks affected by new malware campaign

MITRE Techniques

• [T1059.007] JavaScript – The script runs in the browser as JavaScript to perform credential theft and injection. “The malicious script is an external resource hosted on the attacker’s server… retrieved by injecting a script tag into the head element of the page’s HTML document, with the src attribute set to the malicious domain.”
• [T1105] Ingress Tool Transfer – Delivery of the external script from the attacker’s server via an injected script tag. “In the past, we observed malware that directly injected the code into the compromised web page. However, in this campaign, the malicious script is an external resource hosted on the attacker’s server.”
• [T1027] Obfuscated/Compressed Files and Information – The payload is obfuscated and delivered as a single line with a decoding script. “The retrieved script is intentionally obfuscated and returned as a single line of code, which includes both the encoded script string and a small decoding script.”
• [T1564.001] Hide Artifacts – The malware removes itself from the DOM to conceal actions. “Following the initial configuration, the script proceeds to remove itself from the DOM tree, enhancing its ability to conceal its actions.”
• [T1562.001] Impair Defenses – The injection patches functions to hinder security monitoring. “The injection also performs function patching, changing built-in functions… The patch removes any remnant evidence of the malware from the session.”
• [T1036] Masquerading – The domains resemble legitimate CDNs to mislead users. “The malicious domains resemble two legitimate JavaScript CDNs: jscdnpack[.]com; unpack[.]com.”
• [T1071.001] Web Protocols – The malware maintains ongoing C2 communication and relies on server responses to drive injections. “The script relies on receiving a specific response from the server, which determines the type of injection it should execute, if any.”
• [T1056.003] Web-based Input Capture – Credential and OTP theft via event listeners on login elements. “Credential theft is executed by adding event listeners to this button, with an option to steal a one-time password (OTP) token with it.”
• [T1041] Exfiltration Over C2 Channel – Data is exfiltrated to the server, including bot ID and configuration flags. “During our investigation, we observed that the malware initiates data exfiltration upon the initial retrieval of the script. It appends information, such as the bot ID and different configuration flags, as query parameters.”