Italian corporate banking customers are the target of an ongoing financial fraud campaign that has been exploiting a new set of web injection tools called drIBAN at least since 2019.
“The main purpose of drIBAN fraud operations is to infect Windows workstations within corporate environments that attempt to alter legitimate bank transfers made by victims by changing the payee and transferring money to an illegitimate bank account,” they said. say Cleafy researchers Federico Valentini and Alessandro Strino.
The bank accounts, according to the Italian cyber security company, are controlled by the threat actors themselves or their affiliates, who are then tasked with laundering the stolen funds.
Using web injections is a time-tested tactic that makes it possible for malware to inject custom scripts on the client side using a man-in-the-browser (MitB) attack and intercept traffic to it from the server.
Fraudulent transactions are often carried out using a technique called Automatic Transfer System (ATS) which is able to bypass anti-fraud systems put in place by banks and initiate unauthorized bank transfers from the victim’s computer.
Over the years, the operators behind drIBAN have acquired more knowledge to avoid detection and develop effective social engineering strategies, as well as establishing a foothold for long periods in corporate banking networks.
Cleafy said 2021 was the year the classic “banking trojan” evolved into an advanced persistent threat. Additionally, there are indications that the cluster of activity overlaps with a 2018 campaign mounted by an actor tracked by Proofpoint as TA554 targeting users in Canada, Italy, and the United Kingdom.
The attack chain begins with a certified email (or PEC email) in an attempt to lull victims into a false sense of security. These phishing emails carry an executable file that acts as a download for a malware called sLoad (also known as the Starslord loader).
A PowerShell loader, sLoad is a reconnaissance tool that collects and exfiltrates information from the compromised host, with the purpose of evaluating the target and dropping a larger payload such as Ramnit if the target is deemed profitable .
“This ‘enrichment phase’ could continue for days or weeks, depending on the number of infected machines,” Cleafy noted. “Additional data will be exfiltrated to make the resulting botnet increasingly robust and coherent.”
Learn how to stop ransomware with real-time protection
Join our webinar and learn how to stop ransomware attacks with real-time MFA and service account protection.
Save my seat!
sLoad also exploits life-out-of-land (LotL) techniques by abusing legitimate Windows tools such as PowerShell and BITSAdmin as part of its evasion mechanisms.
Another feature of the malware is its ability to check against a predefined list of corporate banking entities to determine if the hacked workstation is one of the targets and, if so, proceed with the infection.
“All bots that successfully pass these steps will be selected by botnet operators and considered as ‘new candidates’ for bank fraud operations advancing to the next stage, where Ramnit, one of the most advanced banking trojans, will be installed “. the researchers said.
Recent reports have revealed that corporate banking clients in Italy have become the latest victims of a cyber attack. Hackers have been targeting these clients with a new web-inject toolkit called DrIBAN, which is able to steal confidential information, such as banking usernames and passwords.
High profile banking companies in Italy, such as UniCredit, UBI Banca and BancoPosta, are thought to be some of the main targets of the attack. Cyber security experts believe that the DrIBAN toolkit is capable of hiding malicious code on webpages so that it can steal personal banking data from an unsuspecting user.
These attacks are particularly worrying because the toolkit can remain hidden and undetected on webpages for an indefinite period of time, meaning that many corporate clients may not be aware that their data is being stolen. There is also evidence to suggest that hackers may be targetting customers in other parts of Europe as well.
At Ikaroa, we take cyber security very seriously, and are doing everything we can to ensure our clients are kept safe and secure online. Our team of highly trained professionals have implemented numerous measures to protect our clients from cyber threats, and are constantly looking for new ways to stay one step ahead of hackers.
We also provide our clients with the tools and resources to help them detect and prevent malicious activities, such as the DrIBAN toolkit. We are dedicated to keeping our clients informed about the latest cyber threats and how to stay safe online, so that they can stay a step ahead of cyber criminals.
