New international web injection campaign hits banks

BleepingComputer reports that more than 40 banks in North America, South America, Japan, and Europe have been subjected to a malware campaign involving JavaScript web injections that has been ongoing since March, resulting in the theft of banking details from over 50,000 users. Attacks commence by luring victims into visiting malicious sites, which would prompt the injection of a malicious script with webpage content alteration, as well as login credential and one-time passcode capturing capabilities, according to an IBM report. Aside from bypassing detection by using the cdnjs[.]com and unpkg[.]com domains similar to JavaScript content delivery networks, the script also conducts security product scanning prior to execution. Researchers have also noted the dynamic nature of the script, which has various operational states that could be used to facilitate numerous commands, including data exfiltration activities. Such an attack campaign was discovered to be possibly associated with the DanaBot malware trojan, which was most recently distributed in a malvertising campaign involving fraudulent Cisco Webex ads.