Stealthy Attack Chains
The attack mechanism involves scripts loaded from a threat actor-controlled server, specifically identified as “jscdnpack[.]com” These scripts target a common page structure utilized by various banks, suggesting a meticulous approach. The delivery of the malware to potential victims may occur through phishing emails or malvertising, posing multifaceted cybersecurity threats.
Dynamic Script Behavior
Global Banking Cyber Threats
The server’s response dictates the malware’s subsequent actions, allowing it to erase traces of injections and introduce deceptive user interface elements. These elements may include prompts to accept OTPs, aiding threat actors in bypassing security measures. Additionally, the banking malware may display error messages indicating temporary unavailability of online banking services for 12 hours, dissuading victims from logging in and providing a window for unauthorized account access.
Possible Origins and Advanced Capabilities
Although the exact origins of the malware remain unknown, indicators of compromise (IoCs) suggest a potential connection to the DanaBot family, a known stealer and loader. DanaBot has been previously associated with malicious ads on Google Search and has served as an initial access vector for ransomware attacks. The sophistication of this threat lies in its advanced capabilities, particularly in executing man-in-the-browser attacks through dynamic communication and adaptable web injection methods.
Financial Data Breach
This malicious code attacks campaign unfolds against a backdrop of escalating financial frauds. Sophos recently exposed a scheme involving a fake liquidity mining service, netting threat actors nearly $2.9 million in cryptocurrency from 90 victims. The scheme, orchestrated by three separate threat activity groups, points to a broader network potentially affiliated with a single organized crime ring, possibly based in China.
According to Europol’s Internet Organized Crime Threat Assessment (IOCTA), investment fraud and business email compromise (BEC) fraud persist as the most prolific online fraud schemes. The agency highlights the concerning trend of combining investment fraud with other scams, such as romance scams, where criminals build trust with victims before convincing them to invest in fraudulent cryptocurrency platforms. Therefore, implementing strong cybersecurity measures for online transactions is crucial to safeguard sensitive information and protect against potential cyber threats.
Diversified Cyber Threats
Beyond financial institutions, cyber threats continue to diversify. Group-IB, a cybersecurity company, reports the identification of 1,539 phishing websites impersonating postal operators and delivery companies since November 2023. This extensive campaign spans 53 countries, with Germany, Poland, Spain, the U.K., Turkey, and Singapore being the primary targets.
Evasive Tactics and Global Impact
These cybercrime trends involve sending SMS messages mimicking reputable postal services, prompting users to visit counterfeit websites and divulge personal and payment details under the guise of urgent or failed deliveries. Notably, the operation employs various evasion methods, restricting access based on geographic locations and specific devices and operating systems. The scammers also minimize the lifespan of the phishing websites, enhancing their chances of remaining undetected.
Stay compliant and minimize downtime now!