Security researchers warn of a new malware campaign that employs JavaScript web injections to steal online banking account credentials. The campaign is part of a previously observed operation that has targeted over 40 financial institutions across the world.

The campaign was first spotted by IBM’s Security Trusteer threat intelligence team in March 2023 and has since led to at least 50,000 infected user sessions across more than 40 banks that were affected by this malware campaign spanning North America, South America, Europe and Japan.

The researchers said that the new malware campaign bears similarities to the DanaBot malware operation, although they can’t confirm its identity. Earlier this month, Microsoft reported that a ransomware operator known as Storm-0216 has been using the DanaBot malware to deploy the Cactus ransomware.

“The JS script is targeting a specific page structure common across multiple banks. When the requested resource contains a certain keyword and a login button with a specific ID is present, new malicious content is injected,” IBM explained in a report. “Credential theft is executed by adding event listeners to this button, with an option to steal a one-time password (OTP) token with it.”

While in the previous campaigns malware was observed directly injecting the malicious code into the page, this activity cluster hosts the malicious script on a server and retrieves it by injecting a script tag into the head element of the page’s HTML document, with the src attribute set to the malicious domain.

“During our investigation, we observed that the malware initiates data exfiltration upon the initial retrieval of the script. It appends information, such as the bot ID and different configuration flags, as query parameters,” the experts noted. “The computer’s name is usually used as the bot ID, which is information that isn’t available through the browser. It indicates that the infection has already occurred at the operating system level by other malware components, before injecting content into the browser session.”

“This sophisticated threat showcases advanced capabilities, particularly in executing man-in-the-browser attacks with its dynamic communication, web injection methods and the ability to adapt based on server instructions and current page state,” the researchers concluded.