Virtual Event: Threat Detection and Incident Response Summit - Watch Sessions
Connect with us

Hi, what are you looking for?



Panda Banker Goes to Brazil Ahead of the Olympics

The Zeus Trojan variant known as Panda Banker has zone in on targets in Brazil, where it focuses on 10 local banks and various payment platforms, IBM X-Force researchers warn.

The Zeus Trojan variant known as Panda Banker has zone in on targets in Brazil, where it focuses on 10 local banks and various payment platforms, IBM X-Force researchers warn.

The malware was spotted earlier this year targeting banks in Europe and North America, but has switched to Brazil recently, supposedly in an attempt to cash in on the upcoming Olympic games taking place in the country.

Also known as Zeus Panda, this Zeus variant was created based on the source code of the Zeus Trojan, which leaked in 2011 and which spawned other commercial banking Trojans as well. According to Limor Kessem, Executive Security Advisor, IBM, Panda Banker is “being peddled via Dark Web underground boards by the developer who put it together” and is sold in cybercrime-as-a-service packages.

Researchers have been observing Zeus Panda variants since the first quarter of the year, when botnets spreading it were primarily targeting banks in Europe (the U.K., Germany, the Netherlands, Poland) and North America (both Canada and the U.S.). These variations revealed diverse configurations, albeit they all focused on targeting personal online banking services, but also went for online payments, prepaid cards, airline loyalty programs, online betting accounts, and others.

Panda Banker was spotted in Brazil for the first time July 2016, fetching a new, Brazil-focused configuration, meant to steal user credentials from the customers of 10 major banks in the country. Furthermore, it was also found to target Bitcoin exchange platforms, payment card services and online payments providers, among others.

“Panda’s operators are also interested in infecting users who access delivery services for a Brazilian supermarket chain, local law enforcement websites, local network security hardware vendors, Boleto payments and a loyalty program specific to Brazil-based commerce,” IBM reports. The Trojan also targets the customer logins to an ATM management services provider.

The security researchers also suggest that, while it is difficult to say who is behind the Brazil-focused Panda, the malware’s configuration suggests that a professional cybercrime group at least partly located in Brazil is involved.

Advertisement. Scroll to continue reading.

“A hint pointing to Panda’s operators’ possible origins is the URL of a Russia-based online service that helps users with instant money transfers, payments, top-up and output via online payments platforms, payments through mobile operators and more,” IBM notes.

The malware variant spotted in attacks in Brazil is based on existing code and employs the same online fraud methods associated with other banking Trojans. It can grab login credentials on the fly, can inject malicious code into ongoing web sessions, and also uses social engineering, while its operators appear to have extensive knowledge regarding the use of automated transaction panels (ATS).

The Trojan is distributed via poisoned Word documents with malicious macros, but was also seen spreading via popular exploit kits like Angler and Neutrino in the past. Panda Banker’s operators target company email addresses with personalized messages in more targeted attacks, IBM says.

Panda’s move to Brazil marks a major change from the current cybercrime landscape in the country, which is dominated by relatively simplistic codes designed for specific fraud scenarios, remote access fraud, and phishing, researchers say. The Trojan is a “major step up from the malicious Delphi-based malcode that’s so typical in the country,” IBM notes. The researchers also note that the move also shows that Brazil-based cybercriminals are tightening collaboration with cybercrime vendors from other countries and underground communities.

“Judging by recent emerging campaigns observed by X-Force Research, Zeus Panda appears to be an active and evolving project that is being commercialized to cybercriminals through Dark Web forums. As such, we expect to see more variations of this malware and new botnets appearing in the coming months, likely targeting different countries beyond those appearing in current configurations,” Kessem says.

Related: New Zeus Variant “Sphinx” Offered for Sale

Written By

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

SecurityWeek’s Threat Detection and Incident Response Summit brings together security practitioners from around the world to share war stories on breaches, APT attacks and threat intelligence.


Securityweek’s CISO Forum will address issues and challenges that are top of mind for today’s security leaders and what the future looks like as chief defenders of the enterprise.


Expert Insights

Related Content


The changing nature of what we still generally call ransomware will continue through 2023, driven by three primary conditions.


Luxury retailer Neiman Marcus Group informed some customers last week that their online accounts had been breached by hackers.


As it evolves, web3 will contain and increase all the security issues of web2 – and perhaps add a few more.


A recently disclosed vBulletin vulnerability, which had a zero-day status for roughly two days last week, was exploited in a hacker attack targeting the...


Satellite TV giant Dish Network confirmed that a recent outage was the result of a cyberattack and admitted that data was stolen.


Zendesk is informing customers about a data breach that started with an SMS phishing campaign targeting the company’s employees.

Artificial Intelligence

The release of OpenAI’s ChatGPT in late 2022 has demonstrated the potential of AI for both good and bad.

Artificial Intelligence

The degree of danger that may be introduced when adversaries start to use AI as an effective weapon of attack rather than a tool...