New JavaScript malware targets 50K bank users worldwide

SISA Weekly Threat Watch, December 25, 2023

Recent cybersecurity incidents showcased a diverse range of threats, including the evolving tactics of BazarCall phishing attacks, zero-click Outlook remote code execution exploits, the emergence of JaskaGO malware, sophisticated JavaScript-based malware targeting global banks, and Google’s urgent patch for a zero-day vulnerability affecting Chrome and other browsers. These varied threats underscore the critical need for enhanced security measures and prompt updates to mitigate evolving cyber threats.

SISA Weekly Threat Watch – our weekly feature brings to you a quick snapshot of all the major security vulnerabilities that posed a threat to organizations worldwide. These recurring actionable threat advisories will also provide information and recommendations that will help security teams take appropriate actions to defend against the latest and critical threats.

1. BazarCall exploits Google Forms in recent phishing attack

BazarCall, a phishing attack scheme initially discovered in 2021, has evolved its tactics by exploiting Google Forms to create deceptive payment receipts. Recent variants of BazarCall impersonate renowned services like Netflix, Disney+, and McAfee, using Google Forms to send false payment confirmations. Abnormal, an email security firm, revealed this new method that leverages Google Forms’ legitimacy to evade traditional security tools, enhancing the credibility of these phishing emails.

The fraudulent invoices, seemingly from ‘noreply@google.com,’ prompt recipients to dispute charges by calling a provided number within 24 hours. Victims who make the call connect with cybercriminals posing as customer support, leading to the installation of BazarLoader malware onto their systems. To counter such threats, it is recommended to invest in AI-driven email security solutions and integrate behavioral AI for anomaly detection for better threat identification and response.

2. New JavaScript malware targeted 50,000+ users at dozens of banks worldwide

A sophisticated malware campaign employing JavaScript web injections targeted over 50,000 users across 40 banks worldwide, aiming to steal banking data. The operation commenced in December 2022, utilizing injected scripts to capture user credentials and OTPs on banking websites. The attack initiates with initial device infiltration, possibly through malvertising or phishing

Once victims access compromised sites, a two-step injection process deploys a seemingly benign loader script, evading detection. This loader dynamically loads an obfuscated script, masquerading as legitimate content delivery, conducting pre-execution security checks, and adapting to commands from the control server. Mitigation strategies involve updating security tools, enhancing employee training, implementing robust endpoint protection, and conducting regular security audits.

3. Security experts uncover new insights into zero-click Outlook RCE exploits 

Microsoft addressed two now-patched security flaws (CVE-2023-35384 and CVE-2023-36710) in Windows, posing remote code execution (RCE) risks in Outlook without user interaction. CVE-2023-35384 bypasses a critical March 2023 flaw (CVE-2023-23397), enabling NTLM credential theft and relay attacks.

It works in tandem with CVE-2023-36710, leveraging a Windows Media Foundation Core vulnerability for zero-click code execution on Outlook clients via custom sound file downloads. This flaw manipulates Outlook’s reminder sound autoplay feature. Implementing microsegmentation, blocking outgoing SMB connections, and disabling NTLM can bolster security by limiting lateral threats and preventing unauthorized access.

4. New Go-based JaskaGO malware targeting Windows and macOS systems

JaskaGO, a newly discovered cross-platform information-stealing malware developed in Go programming language, poses a significant threat to both Windows and Apple macOS systems. This malware employs various tactics upon infection, initially targeting macOS through installers posing as legitimate software such as CapCut and AnyConnect.

Once established, it extracts data, executes shell commands, manipulates the clipboard for cryptocurrency theft, and persists on macOS by disabling Gatekeeper protections. To bolster cybersecurity defenses, organizations must prioritize endpoint protection, network monitoring, and regular updates, while also implementing measures like application whitelisting and the principle of least privilege.

5. Google releases urgent updates to patch exploited Chrome zero-day vulnerability 

Google has addressed a zero-day vulnerability in Chrome, the eighth such flaw this year. A high-severity vulnerability (CVE-2023-7024) was identified in the open-source WebRTC framework, used by various browsers like Firefox, Safari, and Edge for Real-Time Communications (RTC). The vulnerability, a heap buffer overflow weakness, poses a risk during activities such as video streaming and VoIP telephony via JavaScript APIs.

Acknowledging active exploitation in the wild, Google has released immediate security updates (version 120.0.6099.129/130 on Windows and 120.0.6099.129 on macOS and Linux) to curb potential risks. Users of Chromium-based browsers are strongly advised to apply forthcoming fixes promptly.

To get daily updates on the critical vulnerabilities being exploited by threat actors, subscribe to SISA Daily Threat Watch – our daily actionable threat advisories.

For a deeper understanding of how you can prevent these threats from affecting your organization, request a call to get in touch with our experts.

SISA’s Latest
close slider