Pierluigi Paganini
May 14, 2018
Researchers at security firm F5 recently detected several campaigns leveraging the Panda Banker malware to target financial institution, the largest one aimed the banks in the US.
In March, security researchers at Arbor Networks discovered a threat actor targeting financial institutions in Japan using the latest variant of the Panda Banker banking malware (aka Zeus Panda, PandaBot).
Panda Banker was first spotted in 2016 by Fox-IT, it borrows code from the Zeus banking Trojan and is sold as a kit on underground forums, In November 2017, threat actors behind the Zeus Panda banking Trojan leveraged black Search Engine Optimization (SEO) to propose malicious links in the search results. Crooks were focused on financial-related keyword queries.
The main feature of the Panda Banker is the stealing of credentials and account numbers, it is able to steal money from victims by implementing “man in the browser” attack.
According to F5, the malware continues to target Japanese institutions and it is also targeting users in the United States, Canada, and Latin America.
“We analyzed four campaigns that were active between February and May of 2018. The three May campaigns are still active at the time of this writing. Two of the four campaigns are acting from the same botnet version but have different targets and different command and control (C&C) servers.” reads the analysis published by F5.
“Panda is still primarily focused on targeting global financial services, but following the worldwide cryptocurrency hype, it has expanded its targets to online cryptocurrency exchanges and brokerage services. Social media, search, email, and adult sites are also being targeted by Panda.”
Experts observed a spike in the activity associated with the malware in February when the malicious code was used to target financial services and cryptocurrency sites in Italy with screenshots rather than webinjects. With this technique, the attackers are able to spy on user interaction at cryptocurrency accounts.
“The Panda configuration we analyzed from February was marked as botnet “onore2.” This campaign leverage the same attack techniques as previously described, and it is able to keylog popular web browsers and VNC in order to hijack user interaction session and steal personal information.” states the analysis.
In May, the experts monitored three different Panda Banker campaigns each focused on different countries.
One of them, tracked by F5 as botnet “2.6.8,” had targets in 8 industries in North America, most of the targets (78%) are US financial organizations.
“This campaign is also targeting major social media platforms like Facebook and Instagram, as well as messaging apps like Skype, and entertainment platforms like Youtube. Additionally, Panda is targeting Microsoft.com, bing.com, and msn.com,” says F5.
Experts discovered that the same botnet 2.6.8 is also targeting Japanese financials as well.
Comparison of the two botnet configurations reveals that when Zeus.Panda is targeting Japan, the authors removed the Content Security Policy (CSP) headers: remove_csp – 1 : The CSP header is a security standard for preventing cross-site scripting (XSS), clickjacking and other code injection attacks that could execute malicious code from an otherwise trusted site.
This last campaign also targets Amazon, YouTube, Microsoft.com, Live.com, Yahoo.com, and Google.com, Facebook, Twitter, and a couple of two sites.
The third campaign aimed at financial institutions in Latin America, most of them in Argentina, Columbia, and Ecuador, The same campaign also targeted social media, search, email, entertainment, and tech provider as the other attacks.
“This act of simultaneous campaigns targeting several regions around the world and industries indicates these are highly active threat actors, and we expect their efforts to continue with multiple new campaigns coming out as their current efforts are discovered and taken down,” F5 concludes.
| [adrotate banner=”9″] | [adrotate banner=”12″] |
(Security Affairs – Panda Banker, malware)
[adrotate banner=”5″]
[adrotate banner=”13″]
