Italian corporate banking clients are under attack from an ongoing financial fraud campaign that uses a web-inject toolkit called drIBAN since at least 2019.
According to Cleafy researchers Federico Valentini and Alessandro Strino, the main goal of drIBAN fraud operations is to infect Windows workstations in corporate environments and alter legitimate banking transfers performed by victims by changing beneficiaries and transferring money to illegitimate bank accounts.
The use of web injects via a man-in-the-browser (MitB) attack is a time-tested tactic that can inject custom scripts on the client side and intercept traffic to and from the server. Fraudulent transactions are often realized by means of the Automated Transfer System (ATS) technique, which can bypass anti-fraud systems put in place by banks and initiate unauthorized wire transfers from a victim’s computer.
The operators behind drIBAN have become more sophisticated over the years in avoiding detection and developing social engineering strategies while establishing footholds for long periods in corporate bank networks. Cleafy said 2021 was the year when the classic “banking trojan” operation evolved into an advanced persistent threat. The attack chain starts with a certified email (or PEC email) that carries an executable file acting as a downloader for malware called sLoad (aka Starslord loader).
The malware uses a PowerShell loader and living-off-the-land (LotL) evasion techniques, and it checks against a predefined list of corporate banking institutions to determine if the hacked workstation is one of the targets. If it passes the checks, Ramnit, one of the most advanced banking trojans, will be installed.