Arbor Networks security experts warned about a new threat actor which attacks financial institutions in Japan via the Panda Banker banking trojan (aka PandaBot, Zeus Panda).
The security researchers at Fox-IT first noticed Panda Banker in 2016. According to them, the malware borrows code from the Zeus banking Trojan.
Last November, the creators of Zeus Panda used black Search Engine Optimization (SEO) to offer malicious links in the search results. The main focus of the hackers were the financial-related keyword queries.
The main characteristic of the Panda Banker trojan is its ability to steal users credentials and account numbers. The malware is capable of stealing its victims’ money by implementing “man in the browser” attack.
Panda Banker is sold as a kit on the underground forums, and its latest variant was used in the last attacks against Japan if the version 2.6.6 implements the same features as the previous releases.
“A threat actor using the well-known banking malware Panda Banker (a.k.a Zeus Panda, PandaBot) has started targeting financial institutions in Japan.” the Arbor Networks analysis states.
“Based on our data and analysis this is the first time that we have seen Panda Banker injects targeting Japanese organizations.”
What is interesting about the latest campaign targeting Japan, is the fact that none of the indicators of compromise (IOC) was associated with the previous attacks.
The banking trojan was delivered via malvertising, redirecting the victims to the domains that hosted the RIG-v exploit kit.
The attackers used multiple domains and C&C servers, however, during the time of the analysis, only one of them appeared to be active. The active domain hillaryzell[.]xyz was registered to a Petrov Vadim and the associated email address was firstname.lastname@example.org.
Apart from Japan, the recent malware campaign also attacked websites in the United States, search engines, social media websites, an email site, a video search engine, an online shopping site, and an adult content hub.
“The threat actor named this campaign “ank”.” the analysis reads. “At the time of research, the C2 server returned 27 webinjects that can be broken down into the following categories:
- 17 Japanese banking websites mostly focusing on credit cards
- 1 US based web email site
- 1 US based video search engine
- 4 US based search engines
- 1 US based online shopping site
- 2 US based social media sites
- 1 US based adult content hub”
The webinjects which were employed in the campaign use the Full Info Grabber automated transfer system (ATS) to steal account information and user credentials.