Threat actors have extensively been using a sophisticated web-inject kit called drIBAN to orchestrate fraudulent attacks on corporate banking institutions and their customers.
According to a new advisory by Cleafy security researchers, drIBAN was first discovered in 2019. It uses JavaScript code tailored to target various entities within the corporate banking sector.
Operating as part of a Man-in-the-Browser (MITB) attack, the web injects allow cyber-criminals to manipulate the content of legitimate web pages in real time, bypassing the TLS protocol.
Federico Valentini, Cleafy's head of threat intelligence and incident response, and Alessandro Strino, a malware analyst, explained that drIBAN's capabilities lie in its ATS (Automatic Transfer System) engine.
This enables the threat actors to receive money transfers from compromised victims' machines without needing credentials or two-factor authentication (2FA) codes, commonly used by banks during login and payment authorization phases.
In particular, drIBAN can conduct large-scale ATS attacks. It operates by altering legitimate banking transfers made by users, changing the beneficiary and diverting funds to illegitimate bank accounts controlled by the malicious actors or their affiliates.
Read more on ATS attacks: Novel Banking Trojan 'PixPirate' Targets Brazil
Valentini and Strino also said that drIBAN has evolved throughout the years, adopting evasive tactics to thwart detection and analysis.
The researchers added that they observed polymorphic techniques in June 2021, where identifiable characteristics like specific variable names were frequently altered, making it challenging to track the malicious payloads.
In addition to its technical capabilities, drIBAN has also introduced an extortion feature. Throughout the past year, Cleafy identified multiple extortion messages embedded within the web inject payloads.
These messages were written in broken English, signaling an attempt to negotiate with targeted banking institutions to halt attacks on their corporate clients.
To combat these evolving threats, Cleafy emphasized the need for effective cooperation between private sectors, financial institutions, computer emergency response teams (CERTs), law enforcement agencies and other stakeholders.
"Proactive prevention measures, such as sharing threat intelligence and implementing robust security measures, are vital to safeguarding corporate bank accounts and mitigating the impact of sophisticated APT campaigns," the company wrote.
"By fostering cooperation and implementing a unified defense strategy, we can strengthen our resilience against these malicious activities and defend the integrity of the European banking sector."