Since at least 2019, hackers have been using a new web-inject toolkit called drIBAN in an ongoing financial fraud campaign to target Italian corporate banking clients. Their goal is to infect Windows workstations in corporate environments and manipulate legitimate banking transfers by changing the beneficiary and transferring funds to an unauthorized bank account.
The hackers, or their affiliates, control the bank accounts where the stolen funds are laundered, according to Cleafy researchers Federico Valentini and Alessandro Strino. This campaign uses web injects, a well-known tactic that allows the malware to inject customized scripts on the client side by using a man-in-the-browser (MitB) attack, enabling the attackers to intercept traffic to and from the server.
Hackers utilize an Automated Transfer System (ATS) technique to bypass anti-fraud systems set up by banks and initiate unauthorized wire transfers from a victim’s computer. The operators responsible for drIBAN have improved their skills over the years to avoid detection, develop social engineering strategies, and gain prolonged access to corporate bank networks.
Cleary reported that in 2021, the traditional “banking trojan” operation evolved into an advanced persistent threat. Additionally, there are indications that the activity cluster overlaps with a 2018 campaign aimed at users in Canada, Italy, and the UK by an actor tracked by Proofpoint as TA554.
To deceive victims into a false sense of security, the attack sequence starts with a certified email, also known as a PEC email. These phishing emails include an executable file that downloads sLoad (aka Starslord loader) malware.
Story credit
Related stories:
