Panda Banker targets only banks in Australia, the UK
Malware analysts
from Proofpoint and Fox IT InTELL have come across a new banking trojan,
related to the old Zeus trojan, targeting banks in Australia and the
UK.
Detected for the first time on March 10, this new banking trojan, named Panda Banker, spreads as all other banking trojans, via weaponized Word files.
These Word files either use vulnerabilities in
Microsoft Office (CVE-2014-1761 and CVE-2012-0158) or rely on social
engineering tricks, trying to convince users to enable Macro support in
the Word files.
Once this happens and Panda Banker gets a foothold
on the victim's PC, it gathers information about the local target and
sends it to its C&C (command and control) server which creates a
fingerprint for the infected host, so it would be able to distinguish it
from other bots.
Panda Banker only targets banks activating in UK, Australia
The information Panda Banker sends to its C&C
server from each target includes current username, installed antivirus
and firewall solutions, OS version information, computer name, local
time, and many more.
The server then responds with a configuration file
in JSON format, with a list of alternative C&C domains, and a list
of websites where the banking trojan should insert malicious code.
These latter websites are nothing more than banking portals. Proofpoint has seen this the trojan targeting the clients of banks like Santander Bank, Lloyds Bank, Bank of Scotland, TSB, and Halifax UK.
Panda Banker also distributed via exploit kits
Its normal mode of operation resembles Zeus, who
hijacks browser processes and inject malicious code in the Web page of
the aforementioned banking portals, stealing the user's login
credentials.
Besides infecting users via Word files, Proofpoint
has also seen the crooks employ three different exploit kits (Angler,
Nuclear, and Neutrino) to deliver their trojan to unsuspecting victims.
The strangest detail about this campaign is that the crooks used
geo-location filters so only Australian and British users would be
infected.
"Like many modern banking Trojans, Panda Banker
appears to have roots in Zeus with sophisticated means of establishing
persistence and uses in both targeted and widespread attacks," ProofPoint noted.
"Banking Trojans like Zeus, Dyre, Tinba, and Dridex have netted
cybercriminals billions of dollars by stealing banking credentials and,
in many cases, generating fraudulent transactions."
Panda Banker Automatic Transfer System (ATS) panel
Post a Comment