Update allows Panda Banker to target Brazilian banks

Aug 6, 2016 14:40 GMT  ·  By

Panda Banker, a banking trojan discovered this past March, has received a massive update that allows it to target Brazilian financial institutions, along with other services.

These Panda samples targeting Brazil were first spotted in July, and according to experts at IBM, for this version, a local cyber-crime gang seems to be involved.

Panda is based on the Zeus v2 banking trojan that leaked online in 2011 and was used in multiple other banking trojan families such as Citadel and ZeusVM.

Panda Banker is your typical Zeus variant

When Panda Banker first appeared, the trojan only targeted financial institutions in the UK, Germany, the Netherlands, Poland, Canada, the US, and a few other countries in Europe.

Initial configurations allowed it to use browser Web injects to hijack the portals for online banking portals, but also online payment systems, prepaid cards, airline loyalty programs, and online betting accounts.

Crooks used the trojan to grab banking credentials, and where possible, they delayed users via popups and social-engineered their way into obtaining verification codes to carry out illegal money transfers.

As IBM explains, the trojan is most likely peddled on the Dark Web, and a third-party, most likely located in Brazil, must have gotten involved with its distribution. Brazil, which has a respectable cyber-crime scene, has seen its own share of banking trojans, most of them developed internally.

Panda's Brazilian update is most likely a coincidence

The recent Panda Banker update has added support for Web inject configurations that allow crooks to steal money from the customers of ten major Brazilian banking brands, but also from Bitcoin exchange platforms, payment card services, and online payments providers.

The update came just in time as the Summer Olympics have started in Rio de Janeiro. This may be just a coincidence, since tourists coming to Brazil will still use the online portals of their local banks when traveling to the Rio Olympics, meaning the latest Panda Banker updates won't be effective against foreigners, but only Brazilians.

"Judging by recent emerging campaigns observed by X-Force Research, Zeus Panda appears to be an active and evolving project," says Limor Kessem, Executive Security Advisor for IBM. "As such, we expect to see more variations of this malware and new botnets appearing in the coming months, likely targeting different countries beyond those appearing in current configurations."

All Zeus variations put together take up 15 percent of the global attack volume involving banking trojans.

Banking trojan global attacks
Banking trojan global attacks

Photo Gallery (2 Images)

Panda Banker receives update to target Brazilians
Banking trojan global attacks
Open gallery