New JavaScript Malware Targeted 50,000+ Users at Dozens of Banks Worldwide

[silversurfer]

Content source

https://thehackernews.com/2023/12/new-javascript-malware-targeted-50000.html

A new piece of JavaScript malware has been observed attempting to steal users' online banking account credentials as part of a campaign that has targeted more than 40 financial institutions across the world.

The activity cluster, which employs JavaScript web injections, is estimated to have led to at least 50,000 infected user sessions spanning North America, South America, Europe, and Japan.

IBM Security Trusteer said it detected the campaign in March 2023.

"Threat actors' intention with the web injection module is likely to compromise popular banking applications and, once the malware is installed, intercept the users' credentials in order to then access and likely monetize their banking information," security researcher Tal Langus said.

 

[nickstar1]

threat actors are so nice on the holidays.

 

[nicolaasjan]

From the linked blog;

Legitimate	Malicious
jscdnpack[.]com	cdnjs[.]com
unpack[.]com	unpkg[.]com

Shouldn't that be :

Malicious	Legitimate
jscdnpack[.]com	cdnjs[.]com
unpack[.]com	unpkg[.]com

Just block their servers in your hosts file:
0.0.0.0 jscdnpack.com 0.0.0.0 unpack.com

However, on the IP address of jscdnpack.com (155.138.200.91) there is also:
unpackg.com
Source: here.
Maybe they mean that one?