Cyber Security Threat Summary:
Threats actors have extensively employed an advanced web-inject kit known as drlBAN to orchestrate fraudulent assaults on corporate banking institutions and their customers. As stated in a recent advisory from Cleafy security researchers, drlBAN was initially discovered in 2019. It utilizes customized JavaScript code to specifically target different entities within the corporate banking sector. Functioning as part of a Man-in-the-Browser attack, these web injects enable cyber criminals to manipulate the content of legitimate web pages in real time, circumventing the TLS protocol.

“Federico Valentini, Cleafy's head of threat intelligence and incident response, and Alessandro Strino, a malware analyst, explained that drIBAN's capabilities lie in its ATS (Automatic Transfer System) engine. This enables the threat actors to receive money transfers from compromised victims' machines without needing credentials or two-factor authentication (2FA) codes, commonly used by banks during login and payment authorization phases. In particular, drIBAN can conduct large-scale ATS attacks. It operates by altering legitimate banking transfers made by users, changing the beneficiary and diverting funds to illegitimate bank accounts controlled by the malicious actors or their affiliates. Valentini and Strino also said that drIBAN has evolved throughout the years, adopting evasive tactics to thwart detection and analysis” (BleepingComputer, 2023). Analyst comments:

Researchers further noted that in June 2021, they noticed the use of polymorphic techniques, whereby distinct attributes such as variable names were frequently modified. This made it difficult to trace the malicious payloads effectively. Apart from its technical functionalities, drlBAN has also incorporated an extortion component. Over the past year, Cleafy discovered several extortion messages embedded within the web inject payloads. These messages were written in imperfect English, indicating an endeavor to negotiate with targeted banking institutions in order to cease attacks on their corporate clients.

Suggested Correction(s):
Researchers at Cleafy emphasize the significance of taking preemptive actions such as sharing threat intelligence and implementing robust security measures, are vital to safeguarding corporate bank accounts and mitigating the impact of sophisticated APT campaigns.

Link(s):
https://www.infosecurity-magazine.com/news/driban-target-corporate-banking/