New Banking Trojan Panda Banker Based On Zeus Source Code
Researchers from Proofpoint a cyber security company reported about a new banking trojan Panda Banker, developed on the basis of the source code of the notorious Zeus. According to the Proofpoint, Incorporation the Malicious software is distributed both via phishing emails and using sets of exploits.
On March 10 of this year, experts have recorded a spam campaign aimed at members of the media and production companies. Phishing emails contained a malicious document that exploits the vulnerability CVE-2014-1761 and CVE-2012-0158 to download Panda Banker from a remote server.
March 19, researchers found another campaign, and this time, attackers focused on financial organizations. The Malicious documents contain macros that download a loader which is known as Godzilla, and the loader Godzilla starts downloading the banking trojan Panda Banker.
According to the experts of cyber security company Proofpoint, in March of this year 2016, the Trojans also distributed in three sets of popular exploits, and here they are Angler, Nuclear, and Neutrino RTOS, aimed at organizations in the Australia and the UK to deliver their trojan to unsuspecting victims. Once the malware infects the system of the victim, the Panda Banker perform the command to get the control of C & C-server and transmit data on the compromised device, including the use of anti-virus solutions and firewalls.
Banking trojan Panda Banker responds with a configuration file in JSON format with the list of C&C domains, and the list of websites where the banking trojan Panda Banker could insert the malicious code. Cyber security company Proofpoint, Incorporation has also noticed that this banking trojan Panda Banker was targeting the clients of banks like Halifax UK (Bank of UK), Lloyds Bank, TSB, Bank of Scotland, and Santander Bank. The analysis Panda Banker researchers found many similarities with the banking trojan Zeus. Created mutexes malware files, folders, and registry keys were the same as that of Zeus. To conceal the real IP-addresses of their servers behind Panda Banker attackers used a flux DNS technique, which was also used in attacks with Zeus.