IBM X-Force Research observed that a relatively new Zeus Trojan variant known as Panda, or Panda Banker, that started targeting banks in Europe and North America early this year has now spread to Brazil. According to IBM X-Force Research, Panda now targets 10 local bank brands and multiple payment platforms right as Brazil prepares to host a global sporting event.
As its name suggests, Zeus Panda is yet another Zeus v2 Trojan iteration built upon the same source code leaked in 2011 — one that evidently keeps enabling the delivery of more commercial banking Trojans into the world.
IBM X-Force Research believes that Zeus Panda is being peddled via Dark Web underground boards by the developer who put it together. It is sold in cybercrime-as-a-service packages to other cybercriminals.
Panda Arrives in Brazil
IBM X-Force Research has been detecting Zeus Panda variants since Q1 2016. At first, botnets spreading and attacking users with this malware primarily targeted banks in Europe and North America, focusing on the U.K., Germany, the Netherlands, Poland, Canada, the U.S. and others. While Panda configurations focus on targeting personal online banking services, they are rather diverse. Other targets include online payments, prepaid cards, airline loyalty programs and online betting accounts, to name a few.
Panda is clearly one hungry bear. The malware continues to spread to new geographies and is now targeting users in Brazil. First appearing in Brazil in July 2016, the related Panda variant likely has links to a locally operated, professional cybercrime faction. The variants fetched a new Brazil-focused configuration, which was set up to steal credentials from users of 10 major bank brands in the country, as well as those of bitcoin exchange platforms, payment card services and online payments providers, among others, per X-Force findings.
Panda’s Big Appetite for Local Grub
Zeus Panda’s Brazilian configuration file has a notable local hue. Aside from including the URLs of major banks in the country, Panda’s operators are also interested in infecting users who access delivery services for a Brazilian supermarket chain, local law enforcement websites, local network security hardware vendors, Boleto payments and a loyalty program specific to Brazil-based commerce. Other targets include customer logins to a company that offers ATM management services and secure physical access technology for banks.
Who is behind this new botnet? Attribution remains elusive. However, from the attack flows analyzed by X-Force Research, it is evident that Brazil’s Panda gang is very well-versed in the operation of banking Trojans of this grade. In comparison to other Zeus Panda botnets, and most banking Trojan configurations in general, this Brazilian iteration suggests the involvement of a professional cybercrime group that is at least partly located in Brazil. A hint pointing to Panda’s operators’ possible origins is the URL of a Russia-based online service that helps users with instant money transfers, payments, top-up and output via online payments platforms, payments through mobile operators and more.
Teaching a New Panda Old Tricks
Is there anything special about Zeus Panda at this time? The malware is based on existing code and performs the same online fraud methods that X-Force researchers see with other banking Trojans. Panda grabs login credentials on the fly, is capable of injecting malicious code into ongoing web sessions to trick users with social engineering, and its operators are versed in the use of automated transaction panels (ATS).
According to attack attempts detected by IBM Security antifraud solutions, Panda’s operators’ favored fraud methodology is account takeover, in which victim credentials are stolen and then used to initiate a transaction from another device. The victim is held online by deceptive pop-up windows that require one-time passwords and allow the attacker to complete a fraudulent transaction in real time.
Zeus Panda’s top infection vector is poisoned Word documents with macros that activate the malware deployment on victims’ machines. It has been seen to spread via popular exploit kits, such as Angler and Neutrino. It also targets company email addresses with personalized messages designed to lure victims on a more selective basis than indiscriminate spam.
Under the hood, this Trojan does feature a few modifications, mostly relevant to its encryption and communications schemes, which were recently reported in detail.
Zeus All Over
From a global perspective, Zeus variations remain one of the most dominant malware problems to affect the financial sector. Looking back at the past five years, Zeus-based banking Trojans maintained one of the top ranks on the global malware chart based on the attack volumes they facilitate.
Figure 1 lists the top financial malware in the world for the first half of 2016. Ranking third is the Zeus variations line, which accounts for 15 percent of attacks worldwide and includes Zeus VM, Citadel and Panda variants, as well as generic Zeus v2 deployments operated by small cybercrime factions in different parts of the world.
Figure 1: Top Financial Malware per Attack Volume (Source: IBM Trusteer)
What’s Next for Panda?
Panda’s move to Brazil is a very interesting occurrence in the country. Brazil’s cybercrime landscape is dominated by relatively simplistic codes designed for specific fraud scenarios, such as Boleto fraud, remote access fraud and malware used for phishing.
Zeus Panda may not be the first ever modular banking Trojan to operate in Brazil, but it is definitely a major step up from the malicious Delphi-based malcode that’s so typical in the country. This migration of a new and commercial Zeus variant into Brazil also underscores the growing collaboration between Brazil-based cybercriminals and cybercrime vendors from other countries and underground communities — a trend that has been picking up speed in Brazil since the beginning of this year.
Judging by recent emerging campaigns observed by X-Force Research, Zeus Panda appears to be an active and evolving project that is being commercialized to cybercriminals through Dark Web forums. As such, we expect to see more variations of this malware and new botnets appearing in the coming months, likely targeting different countries beyond those appearing in current configurations.
In the last few years, malware developers have been disinclined to sell banking Trojans in the underground for fear of being discovered by law enforcement. Panda’s vendor may or may not continue to sell the malware at the risk of encountering the same fate that befell other malware authors in the recent past.
Mitigating Zeus Panda Attacks
IBM Security has studied the Zeus Panda banking malware and its various attack schemes and can help banks and targeted organizations learn more about this high-risk threat. To help stop threats like Panda Banker, banks and service providers can use adaptive malware detection solutions and protect customer endpoints with malware intelligence that provides real-time insight into fraudster techniques and capabilities, designed to address the relentless evolution of the threat landscape.
Users looking to prevent malware infections on their endpoints must keep their operating system up to date at all times, update frequently used programs and delete those they no longer use. Browsing hygiene for the prevention of Trojan infection includes disabling ads and avoiding susceptible sites typically used as infection hubs, sites such as adult content, torrents and free gaming, to name a few. Also, since Panda Banker and similar banking malware is usually delivered as an email attachments, never click on links or attachments in unsolicited email.
Sample MD5 hashes for the Panda Trojan are:
- e9dd9705409df3739183fb16583686dd; and
AV aliases include Gen:Variant.Graftor.296387, according to VirusTotal.
IBM X-Force Research will be updating information and IOCs on Panda Banker via the X-Force Exchange platform. Join XFE today to keep up to date regarding this threat and other findings from our cybercrime labs.
Read the white paper: Accelerating growth and digital adoption with seamless identity trust