The Zeus Trojan variant known as Panda Banker has zone in on targets in Brazil, where it focuses on 10 local banks and various payment platforms, IBM X-Force researchers warn.
The malware was spotted earlier this year targeting banks in Europe and North America, but has switched to Brazil recently, supposedly in an attempt to cash in on the upcoming Olympic games taking place in the country.
Also known as Zeus Panda, this Zeus variant was created based on the source code of the Zeus Trojan, which leaked in 2011 and which spawned other commercial banking Trojans as well. According to Limor Kessem, Executive Security Advisor, IBM, Panda Banker is “being peddled via Dark Web underground boards by the developer who put it together” and is sold in cybercrime-as-a-service packages.
Researchers have been observing Zeus Panda variants since the first quarter of the year, when botnets spreading it were primarily targeting banks in Europe (the U.K., Germany, the Netherlands, Poland) and North America (both Canada and the U.S.). These variations revealed diverse configurations, albeit they all focused on targeting personal online banking services, but also went for online payments, prepaid cards, airline loyalty programs, online betting accounts, and others.
Panda Banker was spotted in Brazil for the first time July 2016, fetching a new, Brazil-focused configuration, meant to steal user credentials from the customers of 10 major banks in the country. Furthermore, it was also found to target Bitcoin exchange platforms, payment card services and online payments providers, among others.
“Panda’s operators are also interested in infecting users who access delivery services for a Brazilian supermarket chain, local law enforcement websites, local network security hardware vendors, Boleto payments and a loyalty program specific to Brazil-based commerce,” IBM reports. The Trojan also targets the customer logins to an ATM management services provider.
The security researchers also suggest that, while it is difficult to say who is behind the Brazil-focused Panda, the malware’s configuration suggests that a professional cybercrime group at least partly located in Brazil is involved.
“A hint pointing to Panda’s operators’ possible origins is the URL of a Russia-based online service that helps users with instant money transfers, payments, top-up and output via online payments platforms, payments through mobile operators and more,” IBM notes.
The malware variant spotted in attacks in Brazil is based on existing code and employs the same online fraud methods associated with other banking Trojans. It can grab login credentials on the fly, can inject malicious code into ongoing web sessions, and also uses social engineering, while its operators appear to have extensive knowledge regarding the use of automated transaction panels (ATS).
The Trojan is distributed via poisoned Word documents with malicious macros, but was also seen spreading via popular exploit kits like Angler and Neutrino in the past. Panda Banker’s operators target company email addresses with personalized messages in more targeted attacks, IBM says.
Panda’s move to Brazil marks a major change from the current cybercrime landscape in the country, which is dominated by relatively simplistic codes designed for specific fraud scenarios, remote access fraud, and phishing, researchers say. The Trojan is a “major step up from the malicious Delphi-based malcode that’s so typical in the country,” IBM notes. The researchers also note that the move also shows that Brazil-based cybercriminals are tightening collaboration with cybercrime vendors from other countries and underground communities.
“Judging by recent emerging campaigns observed by X-Force Research, Zeus Panda appears to be an active and evolving project that is being commercialized to cybercriminals through Dark Web forums. As such, we expect to see more variations of this malware and new botnets appearing in the coming months, likely targeting different countries beyond those appearing in current configurations,” Kessem says.
