The malware was first discovered by IBM’s security team, where the researchers noted that the threat actors have been preparing for the campaign since December 2022, after buying the malicious domains.
The attacks used scripts that were loaded from the attacker's server to intercept user credentials and one-time passwords (OTPs) by focusing on a particular page structure that is shared by numerous institutions.
The attackers can access the victim's bank account, lock them out by altering security settings, and carry out illicit transactions by obtaining the aforementioned information.
The attack begins when the threat actors infect the victim’s device with the malware. While IBM’s report did not specify the details of this stage, it is more likely that this is done through malvertizing, phishing emails, etc.
The malicious software inserts a new script tag with a source ('src') property pointing to an externally hosted script once the victim visits the malicious websites of the attackers.
On the victim's browser, the malicious obfuscated script is loaded to change the content of webpages, obtain login credentials, and intercept one-time passcodes (OTP).
IBM found this extra step unusual since most malware can perform web injections directly on the web page.
It is also noteworthy to mention that the malicious script uses names like cdnjs[.]com and unpkg[.]com to mimic authentic JavaScript content delivery networks (CDNs) in an attempt to avoid detection. Moreover, the script verifies the existence of particular security products before execution.
Also, the script tends to continuously mend its behaviour to the command and control server’s instructions, sending updates and receiving specific outputs that guide its activity on the victim’s device.
A "mlink" flag set by the server controls its various operational states, which include injecting phone number or OTP token prompts, displaying error warnings, or mimicking page loading as part of its data-stealing tactic.
IBM notes that nine “mlink” variable values can be combined to instruct the script to carry out certain, distinct data exfiltration activities, indicating how a wide range of commands is being supported.
According to IBM, this campaign is still a work in progress, thus the firm has urged online users to use online banking portals and apps with increased caution.