Bad News Bears - Panda Banker Starts Looking More Like a Grizzly

Share with your network!

Proofpoint researchers originally discovered the Panda Banker malware in February, 2016 [1]. At the time, it was being distributed via both targeted email campaigns and exploit kits (EKs). The instance we discovered and analyzed at the time was configured to steal information from customers of UK and Australian banks. While Panda Banker has become more prevalent in recent weeks, we have been tracking a large campaign this week targeting banks in Europe and Australia and, interestingly, UK online casinos and international online payment systems.

Email campaign

On August 11 and 12, Proofpoint detected the largest Panda Banker email campaign we have ever observed with millions of messages sent to organizations involved in manufacturing, retail, insurance, and several other verticals. Email messages in this campaign purport to be from legitimate banks with malicious links leading to Microsoft Word documents. These documents contain macros which, if enabled, download Panda banker with a botnet ID of "cap".

The messages in this campaign were translated into Dutch, German, Italian, and English, depending on the targeted country. English-speaking countries included Australia and the United Kingdom, and Subject lines included:

  • Detected suspicious transaction on your account
  • Incomplete transaction
  • Locked transaction
  • Online Banking informs
  • Barclays Personal Banking
  • HSBC Personal Banking
  • Geehrter Kunde (German for "Dear Customer")
  • Mahnung abhleichen (likely a misspelling of Mahnung abgleichen which is German for "Syndicate reminder")
  • Rechnung bei Postbank AG (German for "Account at Postbank AG")
  • Sehr geehrter Kunde (A variation on "Dear Customer")

panda01.png

Figure 1: English language email lure with fraudulent use of a legitimate bank name to deliver the malicious URLs that eventually lead to Zeus Panda

panda02.png

Figure 2: Linked Microsoft Word document that uses macros and social engineering to download Zeus Panda

panda03.png

Figure 3: German language email lure

Web injects

Banking Trojans generally rely on web injects to intercept online banking traffic and often to modify banking sites on infected devices in order to carry out man-in-the-browser (MITB) attacks. These web injects are configured for specific banks in targeted countries. In this case, the injects are set up for banks in the Netherlands, Italy, and Germany as well as online casinos in the United Kingdom and international online payment systems. We observed the following sites targeted by web injects:

  • [http://boq[.]com[.]au]
  • [https://www[.]icscards[.]nl/]
  • entry?rzid=XC&rzbk=
  • [https://www[.]targobank[.]de/de/online-banking/]
  • [https://banking[.]postbank[.]de/rai]
  • [kunden[.]commerzbank[.]de/lp/login]
  • [https://deportal/portal]
  • [mijn[.]ing[.]nl/internetbankieren/SesamLoginServlet]
  • [ideal[.]snsreaal[.]nl/secure/sns/Pages/Payment]
  • [snsbank[.]nl/mijnsns/secure/login[.]html]
  • [snsbank[.]nl/mijnsns/secure/login[.]htmlaction_prepareStepTwo=Inloggen]
  • [snsbank[.]nl/mijnsns/homepage/secure/homepage/homepage[.]html]
  • [snsbank[.]nl/mijnsns/bankieren/secure/betalen/overschrijvenbinnenland[.]html]
  • [snsbank[.]nl/mijnsns/bankieren/secure/verzendlijst/verzendlijst[.]html]
  • [snsbank[.]nl/mijnsns/secure/logout/logoutConfirm[.]html]
  • [ideal[.]regiobank[.]nl/internetbankieren/]
  • [regiobank[.]nl/internetbankieren/secure/login[.]html]
  • [regiobank[.]nl/internetbankieren/secure/login[.]htmlaction_prepareStepTwo=Inloggen]
  • [regiobank[.]nl/internetbankieren/homepage/secure/homepage/homepage[.]html]
  • [regiobank[.]nl/internetbankieren/secure/logout/logoutConfirm[.]html]
  • [https://kunde[.]comdirect[.]de/lp/wt/]
  • [http://www[.]nrwbank[.]de/de]
  • [https://kunde[.]onvista-bank[.]de/]
  • [https://persoonlijk[.]knab[.]nl/account/]
  • [https://intbank[.]crediteurope[.]nl/FWFIB/]
  • [https://ebanking[.]procreditbank[.]de/User/]
  • /trxm/
  • [https://www[.]dkb[.]de/]
  • [pintan[.]santanderbank[.]de/PinUser]
  • [https://www[.]dkb[.]de/]
  • [pintan[.]santanderbank[.]de/PinUser]
  • [e-bank[.]wuestenrot[.]de/ebanking/eb/index[.]htm]
  • [https://banking[.]donner-reuschel[.]de/]
  • [fineco[.]it/it/public]
  • [fineco[.]it//error]
  • [https://areariservata[.]bancamarche[.]it/wps/portal/]
  • [https://klant[.]alex[.]nl/logon/index]
  • ideal[.]ing[.]nl
  • [http://casino[.]bet365[.]com/home/]
  • [https://sports[.]gamebookers[.]com/]
  • [https://online[.]atbank[.]nl/atb-retail/]
  • [https://token[.]kasbank[.]com/secure/logon]
  • [https://mijn[.]gilissen[.]nl/authentication/]
  • [https://www[.]syzgroup[.]com/]
  • [okpay[.]com/account/login[.]html]
  • [https://moj[.]raiffeisenpolbank[.]]
  • [https://online[.]ingbank[.]pl/bskonl/login[.]html]
  • [https://cfi[.]mb[.]seb[.]se/pqq_portal/sebflow/]
  • [https://www[.]ubibanca[.]com/]
  • [https://www[.]paypal[.]com/]
  • [https://www[.]bwin[.]com/]
  • [https://www[.]insidecard[.]de/]
  • [https://banking[.]fidor[.]de/users/]
  • [https://cristalcard[.]de/]
  • [https://payangocard[.]de/]
  • [https://www[.]xoom[.]com]
  • [https://www[.]asl[.]com/cas/login?service=]
  • [https://online[.]mbank[.]pl/pl/Logi]
  • [https://www[.]commerzbank[.]de]
  • [https://www[.]atbonlinebusiness[.]com/CorporateBankingWeb/Core/Login[.]aspx]
  • [https://www[.]mijn-icsbusiness[.]nl/icsbus]
  • [https://www[.]mijn-icsbusiness[.]nl/icsbusiness/]

These web injects represent a substantial expansion of the injects we initially observed in Panda Banker in February and March. While banks are common targets for injects, the addition of online casinos in the UK and international payment systems like OKPay, PayPal, and Xoom dramatically increases the potential attack surface for Panda Banker since these payment systems are not limited by geography like most banks.

Analysis

We analyzed the command and control (C&C) functions, control panel, mutexes, and specific functions previously [1]. Substantive changes appear to be largely limited to the web injects, encryption of the configuration file [2], and targeting rather than major updates to core functionailty, although at this time we have not fully reversed this latest version of Panda Banker.

Conclusion

Panda Banker is one of many banking Trojans with roots in Zeus, one of the earliest and most successful banking Trojans. As the massive Dridex campaigns of 2015 and early 2016 essentially saturated their target countries, other banking Trojans such as Vawtrak and Ursnif have emerged to fill the void. Now Panda Banker is also appearing at scale to steal money via online banking accounts, including international online payment systems.

Even as attention turns to ransomware like Locky and CryptXXX, this campaign shows that banking Trojans are far from dead. Both individuals and organizations must remain vigilant to the threat, especially in regions that have not previously experienced the onslaught of Dridex and hardened their defenses accordingly. Protection at both the email gateway and endpoint will be critical to keeping a new generation of banking Trojans at bay.

References

  1. https://www.proofpoint.com/us/threat-insight/post/panda-banker-new-banking-trojan-hits-the-market
  2. https://www.arbornetworks.com/blog/asert/let-pandas-zeus-zeus-zeus-zeus/

Indicators of Compromise (IOC’s)

IOC

IOC Type

Description

hxxp://guestlistalamode[.]com/bank/report.doc

URL

URL hosting malicious document

hxxp://guestlistalamode[.]com/bank/payment.doc

URL

URL hosting malicious document

hxxp://vividlightingandliving[.]com.au/bank-info/payment.doc

URL

URL hosting malicious document

hxxp://vividlightingandliving[.]com.au/bank-info/report.doc

URL

URL hosting malicious document

hxxp://www.1800cloud[.]com/infos/payment.doc

URL

URL hosting malicious document

hxxp://www.1800cloud[.]com/infos/report.doc

URL

URL hosting malicious document

hxxp://www.monparfum[.]it/payments/history.doc

URL

URL hosting malicious document

hxxp://www.monparfum[.]it/payments/info.doc

URL

URL hosting malicious document

3a56be53c1493e1bcfae1c22750a1511460a42984c0388fd7bf2b75e9ed041b4

SHA256

Report.doc (sample malicious document)

hxxp://88[.]119[.]179[.]160/1biycuhoqetzowaawneab[.]exe

URL

Payload downloaded by document (Panda)

b78afdedb28db1f5d7d9364f2a78e84a3d140dbc90dddd9cba461b41ba864578

SHA256

Panda Banker

hxxp://freebase[.]pw/backsocks[.]bin

URL

Panda plugin download

hxxp://freebase[.]pw/grabber[.]bin

URL

Panda plugin download

hxxp://freebase[.]pw/vnc32[.]bin

URL

Panda plugin download

hxxp://freebase[.]pw/vnc64[.]bin

URL

Panda plugin download

nederlandstest[.]com

URL

Inject C&C domain

test2222test[.]info

URL

Inject C&C domain

hxxp://freebase[.]pw/1biycuhoqetzowaawneab[.]exe

URL

Panda update URL

 

 

IOC

IOC Type

Descriptions

hxxp://guestlistalamode[.]com/bank/report.doc

URL

URL hosting malicious document

hxxp://guestlistalamode[.]com/bank/payment.doc

URL

URL hosting malicious document

hxxp://vividlightingandliving[.]com.au/bank-info/payment.doc

URL

URL hosting malicious document

hxxp://vividlightingandliving[.]com.au/bank-info/report.doc

URL

URL hosting malicious document

hxxp://www.1800cloud[.]com/infos/payment.doc

URL

URL hosting malicious document

hxxp://www.1800cloud[.]com/infos/report.doc

URL

URL hosting malicious document

hxxp://www.monparfum[.]it/payments/history.doc

URL

URL hosting malicious document

hxxp://www.monparfum[.]it/payments/info.doc

URL

URL hosting malicious document

3a56be53c1493e1bcfae1c22750a1511460a42984c0388fd7bf2b75e9ed041b4

SHA256

Report.doc (sample malicious document)

hxxp://88[.]119[.]179[.]160/1biycuhoqetzowaawneab[.]exe

URL

Payload downloaded by document (Panda)

b78afdedb28db1f5d7d9364f2a78e84a3d140dbc90dddd9cba461b41ba864578

SHA256

Panda Banker

hxxp://freebase[.]pw/backsocks[.]bin

URL

Panda plugin download

hxxp://freebase[.]pw/grabber[.]bin

URL

Panda plugin download

hxxp://freebase[.]pw/vnc32[.]bin

URL

Panda plugin download

hxxp://freebase[.]pw/vnc64[.]bin

URL

Panda plugin download

nederlandstest[.]com

URL

Inject C&C domain

test2222test[.]info

URL

Inject C&C domain

hxxp://freebase[.]pw/1biycuhoqetzowaawneab[.]exe

URL

Panda update URL

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

Select ET Signatures that would fire on such traffic:

2821472 || ETPRO TROJAN Zeus Panda Banker Malicious SSL Certificate Detected
2821624 || ETPRO TROJAN Observed Malicious SSL Cert (Zeus Panda Injects)
2821625 || ETPRO TROJAN Observed Malicious SSL Cert (Zeus Panda Injects)