The Panda Banker is a banking Trojan that seems to be related to the Zeus Trojan. The Panda Banker, a recently uncovered banking Trojan, is related to one of the most famous and destructive banking Trojans in history. Zeus is quite an old threat that has spawned countless imitators. The Panda Banker is used to target banks in the United Kingdom and Australia and, like its predecessor is designed to collect the victim’s login information and online banking credentials.
According to cyber security researchers at Cylance, who discovered the new campaign, Panda Banker has been targeting victims in the US, Canada, and Japan and is focused on stealing credit card data, bank account information and online wallets.
The Panda Banker was first observed on March 10. The Panda Banker is spread using corrupted email attachments in the form of corrupted Microsoft Word files that are appended to phishing email messages. These Microsoft Office files may take advantage of two known vulnerabilities which have been around for several years, CVE-2014-1761 and CVE-2012-0158. They abuse support for macros in the Microsoft Office to execute corrupted code on the victim’s computer.
When the Panda Banker infects a computer, it gathers data about the infected computer and relays it to a remote server. An identifying marker is created for the infected computer to differentiate it from the countless other computers affected by the Panda Banker. The Panda Banker will relay information on the infected computer’s name, installed security software, operating system information, its user’s name, the time on the affected computer and a variety of other details. The Command and Control server responds with configuration settings contained in a ‘.json’ file that contains additional Command and Control server domains and a list of websites that may be targeted by the Panda Banker infection.
How this Trojan Operates
The websites contained in the Panda Banker’s configuration files are banking portals for some of the most popular banks in Australia and the United Kingdom. Some banks targeted by the Panda Banker include Santander Bank, Bank of Scotland, Lloyds Bank, Halifax UK and TSB. When the victim connects to the banks’ website, the Panda Banker activates and hijacks the victim’s Web browser to collect the victim’s online banking credentials.
Up Close Analysis of the Banking Trojan
The Panda Banker is distributed in a variety of ways apart from the use of corrupted Word files. Three exploit kits have been associated with the Panda Banker attacks, which were downloaded from compromised websites and attack domains. These three exploit kits, Angler, Nuclear and Neutrino, may exploit vulnerabilities on the victim’s computer to install the Panda Banker. This threat campaign uses geo-location to ensure that only computer users in a certain location become infected with the Panda Banker.
Banking Trojans associated with Zeus have been responsible for billions of dollars in losses around the world. More importantly, the Panda Banker and other banking Trojans may work together with rootkits, ransomware, and other types of threats to carry out additional attacks on unsuspecting victims. Therefore, it is no surprise that these threats have continued to thrive.
