Thread Rating:
  • 0 Vote(s) - 0 Average
  • 1
  • 2
  • 3
  • 4
  • 5
Share Post: Reddit Facebook
Meet Panda Banker, One of the Most Recent Zeus Banking Trojan's Offspring
#1
[Image: meet-panda-banker-one-of-the-most-recent...3235-2.png]
Malware analysts from Proofpoint and Fox IT InTELL have come across a new banking trojan, related to the old Zeus trojan, targeting banks in Australia and the UK.

Detected for the first time on March 10, this new banking trojan, named Panda Banker, spreads as all other banking trojans, via weaponized Word files.

These Word files either use vulnerabilities in Microsoft Office (CVE-2014-1761 and CVE-2012-0158) or rely on social engineering tricks, trying to convince users to enable Macro support in the Word files.

Once this happens and Panda Banker gets a foothold on the victim's PC, it gathers information about the local target and sends it to its C&C (command and control) server, which creates a fingerprint for the infected host so that it would be able to distinguish it from other bots.
"Panda Banker only targets banks activating in UK, Australia"

The information Panda Banker sends to its C&C server from each target includes current username, installed antivirus and firewall solutions, OS version information, computer name, local time, and many more.

The server then responds with a configuration file in JSON format, with a list of alternative C&C domains, and a list of websites where the banking trojan should insert malicious code.

These latter websites are nothing more than banking portals. Proofpoint has seen this the trojan targeting the clients of banks like Santander Bank, Lloyds Bank, Bank of Scotland, TSB, and Halifax UK.
"Panda Banker also distributed via exploit kits"

Its normal mode of operation resembles Zeus', which hijacks browser processes and inject malicious code into the Web page of the aforementioned banking portals, stealing the user's login credentials.

Besides infecting users via Word files, Proofpoint has also seen the crooks employ three different exploit kits (Angler, Nuclear, and Neutrino) to deliver their trojan to unsuspecting victims. The strangest detail about this campaign is that the crooks used geo-location filters so only Australian and British users would be infected.

"Like many modern banking Trojans, Panda Banker appears to have roots in Zeus with sophisticated means of establishing persistence and uses in both targeted and widespread attacks," ProofPoint noted. "Banking Trojans like Zeus, Dyre, Tinba, and Dridex have netted cybercriminals billions of dollars by stealing banking credentials and, in many cases, generating fraudulent transactions."
source
Reply


Possibly Related Threads…
Thread Author Replies Views Last Post
  Coyote: A multi-stage banking Trojan abusing the Squirrel installer mrtrout 0 703 02-13-2024 , 03:37 AM
Last Post: mrtrout
  Android malware BrazKing returns as a stealthier banking trojan mrtrout 0 560 11-19-2021 , 10:08 AM
Last Post: mrtrout
  New Variant of IcedID Banking Trojan Spreading Wildely mrtrout 0 994 06-29-2021 , 11:24 PM
Last Post: mrtrout
  Bizarro Banking Trojan Sports Sophisticated Backdoor Bjyda 0 734 05-23-2021 , 09:22 PM
Last Post: Bjyda
  Metamorfo Banking Trojan Abuses AutoHotKey to Avoid Detection Bjyda 0 1,382 03-13-2021 , 12:03 AM
Last Post: Bjyda

Forum Jump:


Users browsing this thread: 1 Guest(s)