Hackers target Italian corporate banking clients with web injection toolkit drIBAN

Researchers from Cleafy, an Italian cybersecurity company, note that the operation has been ongoing since at least 2019.

 Computer, Computer Hardware, Computer Keyboard, Electronics, Hardware, Pc, Person, Cross, Symbol

Italian corporate banking clients have been the target of an ongoing financial fraud campaign using a web-inject toolkit called drIBAN. The main objective is to modify legitimate bank transfers made by victims by changing the beneficiary and transferring the money to a fraudulent bank, Cleafy researchers stated. 

The use of web injects is a well-established tactic. It allows the malware to inject custom scripts on the client side via a man-in-the-browser (MitB) attack, intercepting traffic to and from the server. Fraudulent transactions are often carried out using what’s known as an Automated Transfer System (ATS), capable of bypassing anti-fraud systems.

drlBAN infection chain

Over the years, the operators behind drIBAN have become increasingly adept at evading detection and developing effective social engineering strategies. They have also established a long-term foothold in corporate banking networks. According to Cleafy, 2021 was the year of the evolution of the classic banking Trojan operation into an advanced persistent threat.