In March, security researchers at Arbor Networks discovered a threat targeting financial institutions in Japan using the latest variant of the Panda Banker banking malware also known as Zeus Panda & PandaBot. Researchers at security firm F5 recently detected several campaigns leveraging the Panda Banker malware to other institutions around the world including the largest banks.
Panda Banker was first spotted in 2016 by FoX-IT, it borrows code from the Zeus baking Trojan and is sold as a kit on underground forums, which started In November 2017. The malware leveraged black search engine optimization (SEO) to propose malicious links in the search results. Hackers focused on financial-related keyword queries to deliver the attack.
Panda Banker’s main attack techniques included clipboard pastes (to grab passwords and paste them into form fields), logging on keyboard input, Screen shots of users activity (up to 10 per mouse click) and exploits to the Virtual Network Computing (VNC) desktop sharing system. These spread through phishing attacks and targets Windows Operating Systems.
According to F5, the malware continues to target Japanese institutions and it is also targeting users in the United States, Canada, and Latin America.
“We analyzed four campaigns that were active between February and May of 2018. The three May campaigns are still active at the time of this writing. Two of the four campaigns are acting from the same botnet version but have different targets and different command and control (C&C) servers.” reads the analysis published by F5.
“Panda is still primarily focused on targeting global financial services, but following the worldwide cryptocurrency hype, it has expanded its targets to online cryptocurrency exchanges and brokerage services. Social media, search, email, and adult sites are also being targeted by Panda.”
Research experts observed a spike in the activity associated with the malware in Feb at the precise time when the malicious code was used to target financial secives and cryptocurrency sites in Italy, which was the first destination beyond Japan to the rest of the world, with webinjects. A technique which allows the crooks to spy on user interaction within cryptocurrency accounts.
“The Panda configuration we analyzed from February was marked as botnet “onore2.” This campaign leverage the same attack techniques as previously described, and it is able to keylog popular web browsers and VNC in order to hijack user interaction session and steal personal information.” states the analysis.
This month, the experts monitored three different Panda Banker campaigns tracked by botnet “2.6.8” each focused on different countries. The targets, 8 industries identified as it hits North America, 78% are financial organisations.
“This campaign is also targeting major social media platforms like Facebook and Instagram, as well as messaging apps like Skype, and entertainment platforms like Youtube. Additionally, Panda is targeting Microsoft.com, bing.com, and msn.com,” says F5.
“The campaigns that targeted Italian, US, and Canadian financial organizations were the same ones that targeted cryptocurrency sites. The campaign that focused on Japanese financial organizations had the broadest set of industry targets. Across all campaigns in May, the same social media, search, email, ecommerce, and tech providers were targeted.” reports the F5 team.
The third campaign role out is believed to be aimed at financial institutions across Latin America, most of them in Argentina, Columbia, and Ecuador, The same campaign also targeted social media, search, email, entertainment, and tech provider as the other attacks.
The campaign has also targeted big corporations such as Amazon, YouTube, Microsoft.com, Live.com, Yahoo.com, and Google.com, Facebook, Twitter, and a couple of two sites.