Proofpoint researchers originally discovered the Panda Banker malware in February, 2016 [1]. At the time, it was being distributed via both targeted email campaigns and exploit kits (EKs). The instance we discovered and analyzed at the time was configured to steal information from customers of UK and Australian banks. While Panda Banker has become more prevalent in recent weeks, we have been tracking a large campaign this week targeting banks in Europe and Australia and, interestingly, UK online casinos and international online payment systems.
Email campaign
On August 11 and 12, Proofpoint detected the largest Panda Banker email campaign we have ever observed with millions of messages sent to organizations involved in manufacturing, retail, insurance, and several other verticals. Email messages in this campaign purport to be from legitimate banks with malicious links leading to Microsoft Word documents. These documents contain macros which, if enabled, download Panda banker with a botnet ID of "cap".
The messages in this campaign were translated into Dutch, German, Italian, and English, depending on the targeted country. English-speaking countries included Australia and the United Kingdom, and Subject lines included:
- Detected suspicious transaction on your account
- Incomplete transaction
- Locked transaction
- Online Banking informs
- Barclays Personal Banking
- HSBC Personal Banking
- Geehrter Kunde (German for "Dear Customer")
- Mahnung abhleichen (likely a misspelling of Mahnung abgleichen which is German for "Syndicate reminder")
- Rechnung bei Postbank AG (German for "Account at Postbank AG")
- Sehr geehrter Kunde (A variation on "Dear Customer")
Figure 1: English language email lure with fraudulent use of a legitimate bank name to deliver the malicious URLs that eventually lead to Zeus Panda
Figure 2: Linked Microsoft Word document that uses macros and social engineering to download Zeus Panda
Figure 3: German language email lure
Web injects
Banking Trojans generally rely on web injects to intercept online banking traffic and often to modify banking sites on infected devices in order to carry out man-in-the-browser (MITB) attacks. These web injects are configured for specific banks in targeted countries. In this case, the injects are set up for banks in the Netherlands, Italy, and Germany as well as online casinos in the United Kingdom and international online payment systems. We observed the following sites targeted by web injects:
- [http://boq[.]com[.]au]
- [https://www[.]icscards[.]nl/]
- entry?rzid=XC&rzbk=
- [https://www[.]targobank[.]de/de/online-banking/]
- [https://banking[.]postbank[.]de/rai]
- [kunden[.]commerzbank[.]de/lp/login]
- [https://deportal/portal]
- [mijn[.]ing[.]nl/internetbankieren/SesamLoginServlet]
- [ideal[.]snsreaal[.]nl/secure/sns/Pages/Payment]
- [snsbank[.]nl/mijnsns/secure/login[.]html]
- [snsbank[.]nl/mijnsns/secure/login[.]htmlaction_prepareStepTwo=Inloggen]
- [snsbank[.]nl/mijnsns/homepage/secure/homepage/homepage[.]html]
- [snsbank[.]nl/mijnsns/bankieren/secure/betalen/overschrijvenbinnenland[.]html]
- [snsbank[.]nl/mijnsns/bankieren/secure/verzendlijst/verzendlijst[.]html]
- [snsbank[.]nl/mijnsns/secure/logout/logoutConfirm[.]html]
- [ideal[.]regiobank[.]nl/internetbankieren/]
- [regiobank[.]nl/internetbankieren/secure/login[.]html]
- [regiobank[.]nl/internetbankieren/secure/login[.]htmlaction_prepareStepTwo=Inloggen]
- [regiobank[.]nl/internetbankieren/homepage/secure/homepage/homepage[.]html]
- [regiobank[.]nl/internetbankieren/secure/logout/logoutConfirm[.]html]
- [https://kunde[.]comdirect[.]de/lp/wt/]
- [http://www[.]nrwbank[.]de/de]
- [https://kunde[.]onvista-bank[.]de/]
- [https://persoonlijk[.]knab[.]nl/account/]
- [https://intbank[.]crediteurope[.]nl/FWFIB/]
- [https://ebanking[.]procreditbank[.]de/User/]
- /trxm/
- [https://www[.]dkb[.]de/]
- [pintan[.]santanderbank[.]de/PinUser]
- [https://www[.]dkb[.]de/]
- [pintan[.]santanderbank[.]de/PinUser]
- [e-bank[.]wuestenrot[.]de/ebanking/eb/index[.]htm]
- [https://banking[.]donner-reuschel[.]de/]
- [fineco[.]it/it/public]
- [fineco[.]it//error]
- [https://areariservata[.]bancamarche[.]it/wps/portal/]
- [https://klant[.]alex[.]nl/logon/index]
- ideal[.]ing[.]nl
- [http://casino[.]bet365[.]com/home/]
- [https://sports[.]gamebookers[.]com/]
- [https://online[.]atbank[.]nl/atb-retail/]
- [https://token[.]kasbank[.]com/secure/logon]
- [https://mijn[.]gilissen[.]nl/authentication/]
- [https://www[.]syzgroup[.]com/]
- [okpay[.]com/account/login[.]html]
- [https://moj[.]raiffeisenpolbank[.]]
- [https://online[.]ingbank[.]pl/bskonl/login[.]html]
- [https://cfi[.]mb[.]seb[.]se/pqq_portal/sebflow/]
- [https://www[.]ubibanca[.]com/]
- [https://www[.]paypal[.]com/]
- [https://www[.]bwin[.]com/]
- [https://www[.]insidecard[.]de/]
- [https://banking[.]fidor[.]de/users/]
- [https://cristalcard[.]de/]
- [https://payangocard[.]de/]
- [https://www[.]xoom[.]com]
- [https://www[.]asl[.]com/cas/login?service=]
- [https://online[.]mbank[.]pl/pl/Logi]
- [https://www[.]commerzbank[.]de]
- [https://www[.]atbonlinebusiness[.]com/CorporateBankingWeb/Core/Login[.]aspx]
- [https://www[.]mijn-icsbusiness[.]nl/icsbus]
- [https://www[.]mijn-icsbusiness[.]nl/icsbusiness/]
These web injects represent a substantial expansion of the injects we initially observed in Panda Banker in February and March. While banks are common targets for injects, the addition of online casinos in the UK and international payment systems like OKPay, PayPal, and Xoom dramatically increases the potential attack surface for Panda Banker since these payment systems are not limited by geography like most banks.
Analysis
We analyzed the command and control (C&C) functions, control panel, mutexes, and specific functions previously [1]. Substantive changes appear to be largely limited to the web injects, encryption of the configuration file [2], and targeting rather than major updates to core functionailty, although at this time we have not fully reversed this latest version of Panda Banker.
Conclusion
Panda Banker is one of many banking Trojans with roots in Zeus, one of the earliest and most successful banking Trojans. As the massive Dridex campaigns of 2015 and early 2016 essentially saturated their target countries, other banking Trojans such as Vawtrak and Ursnif have emerged to fill the void. Now Panda Banker is also appearing at scale to steal money via online banking accounts, including international online payment systems.
Even as attention turns to ransomware like Locky and CryptXXX, this campaign shows that banking Trojans are far from dead. Both individuals and organizations must remain vigilant to the threat, especially in regions that have not previously experienced the onslaught of Dridex and hardened their defenses accordingly. Protection at both the email gateway and endpoint will be critical to keeping a new generation of banking Trojans at bay.
References
- https://www.proofpoint.com/us/threat-insight/post/panda-banker-new-banking-trojan-hits-the-market
- https://www.arbornetworks.com/blog/asert/let-pandas-zeus-zeus-zeus-zeus/
Indicators of Compromise (IOC’s)
IOC |
IOC Type |
Description |
hxxp://guestlistalamode[.]com/bank/report.doc |
URL |
URL hosting malicious document |
hxxp://guestlistalamode[.]com/bank/payment.doc |
URL |
URL hosting malicious document |
hxxp://vividlightingandliving[.]com.au/bank-info/payment.doc |
URL |
URL hosting malicious document |
hxxp://vividlightingandliving[.]com.au/bank-info/report.doc |
URL |
URL hosting malicious document |
hxxp://www.1800cloud[.]com/infos/payment.doc |
URL |
URL hosting malicious document |
hxxp://www.1800cloud[.]com/infos/report.doc |
URL |
URL hosting malicious document |
hxxp://www.monparfum[.]it/payments/history.doc |
URL |
URL hosting malicious document |
hxxp://www.monparfum[.]it/payments/info.doc |
URL |
URL hosting malicious document |
3a56be53c1493e1bcfae1c22750a1511460a42984c0388fd7bf2b75e9ed041b4 |
SHA256 |
Report.doc (sample malicious document) |
hxxp://88[.]119[.]179[.]160/1biycuhoqetzowaawneab[.]exe |
URL |
Payload downloaded by document (Panda) |
b78afdedb28db1f5d7d9364f2a78e84a3d140dbc90dddd9cba461b41ba864578 |
SHA256 |
Panda Banker |
hxxp://freebase[.]pw/backsocks[.]bin |
URL |
Panda plugin download |
hxxp://freebase[.]pw/grabber[.]bin |
URL |
Panda plugin download |
hxxp://freebase[.]pw/vnc32[.]bin |
URL |
Panda plugin download |
hxxp://freebase[.]pw/vnc64[.]bin |
URL |
Panda plugin download |
nederlandstest[.]com |
URL |
Inject C&C domain |
test2222test[.]info |
URL |
Inject C&C domain |
hxxp://freebase[.]pw/1biycuhoqetzowaawneab[.]exe |
URL |
Panda update URL |
IOC |
IOC Type |
Descriptions |
---|---|---|
hxxp://guestlistalamode[.]com/bank/report.doc |
URL |
URL hosting malicious document |
hxxp://guestlistalamode[.]com/bank/payment.doc |
URL |
URL hosting malicious document |
hxxp://vividlightingandliving[.]com.au/bank-info/payment.doc |
URL |
URL hosting malicious document |
hxxp://vividlightingandliving[.]com.au/bank-info/report.doc |
URL |
URL hosting malicious document |
hxxp://www.1800cloud[.]com/infos/payment.doc |
URL |
URL hosting malicious document |
hxxp://www.1800cloud[.]com/infos/report.doc |
URL |
URL hosting malicious document |
hxxp://www.monparfum[.]it/payments/history.doc |
URL |
URL hosting malicious document |
hxxp://www.monparfum[.]it/payments/info.doc |
URL |
URL hosting malicious document |
3a56be53c1493e1bcfae1c22750a1511460a42984c0388fd7bf2b75e9ed041b4 |
SHA256 |
Report.doc (sample malicious document) |
hxxp://88[.]119[.]179[.]160/1biycuhoqetzowaawneab[.]exe |
URL |
Payload downloaded by document (Panda) |
b78afdedb28db1f5d7d9364f2a78e84a3d140dbc90dddd9cba461b41ba864578 |
SHA256 |
Panda Banker |
hxxp://freebase[.]pw/backsocks[.]bin |
URL |
Panda plugin download |
hxxp://freebase[.]pw/grabber[.]bin |
URL |
Panda plugin download |
hxxp://freebase[.]pw/vnc32[.]bin |
URL |
Panda plugin download |
hxxp://freebase[.]pw/vnc64[.]bin |
URL |
Panda plugin download |
nederlandstest[.]com |
URL |
Inject C&C domain |
test2222test[.]info |
URL |
Inject C&C domain |
hxxp://freebase[.]pw/1biycuhoqetzowaawneab[.]exe |
URL |
Panda update URL |
Select ET Signatures that would fire on such traffic:
2821472 || ETPRO TROJAN Zeus Panda Banker Malicious SSL Certificate Detected
2821624 || ETPRO TROJAN Observed Malicious SSL Cert (Zeus Panda Injects)
2821625 || ETPRO TROJAN Observed Malicious SSL Cert (Zeus Panda Injects)