This is a security alert for all TruShield clients, the financial services industry, and the community as a whole. We have learned about a new banking Trojan that utilizes some Zeus code to do its damage. This new Trojan is called Panda Banker.
Panda Banker is a banking Trojan discovered in February by Fox-IT InTELL. Proofpoint researchers further analyzed this Trojan and they named it Panda Banker. The Trojan borrows the code of the Zeus Banking Trojan. The malware is delivered via a spear-phishing email with a malicious attachment and the use of different exploit kits. Panda Banker was at first spotted targeting people working in mass media and manufacturing organizations, and a remote server was used to download the banker Trojan for this particular campaign, as stated on the SecurityWeek website. Then later when targeting the financial industry, the loader Godzilla was used to download Panda Banker. The three different exploit kits the Proofpoint researchers observed delivering Panda Banker are Neutrino, Nuclear, and Angler. Australia and the United Kingdom are the two countries that this Trojan is a targeting, based on the geo-filtering that was observed by Proofpoint researchers.
After the Trojan is downloaded, it reaches out to the command and control server to send and receive information. Some of the information that it sends includes the following: “system uptime, the process in which the malware is running, the current user name, a unique id for the infection, the botnet name, the botnet version, OS version information, latency, local time, computer name, the name of antivirus software installed, installed anti-spyware, and the installed firewall” as stated on Proofpoint’s website. The rest of process includes a response with more information on modules and configuration commands for the malware. The researchers at Proofpoint were able to pinpoint the similarities between this malware and Zeus, namely the mutexes, files, folders and registry keys it creates. A unique method of Panda Banker “involves the use of numerous IP addresses associated with a single malicious domain known as Fast Flux DNS” and this makes it harder to combat this malware as stated by Proofpoint researchers.
Banking Trojans are known for their popularity in stealing millions from victims, and this particular Trojan is no different; it steals banking credential to perform the malicious act of stealing money, and it uses some of Zeus code to its duty. It does have multiple ways to go about stealing the information that it needs.
Protecting against Banking Trojans
To protect against banking Trojans like Panda Banker do not open emails from unknown senders, make sure that systems are and remain up to date with the latest patches, and employ other methods of detecting malware signatures and preventing them.
Indicators of Compromise