Trojan Panda Banker / Zeus panda

Original Issue Date:- May 15, 2018
Virus Type:- Banking Trojan
Severity:- Medium

Panda Banker is a spin-off of the Zeus banking Trojan malware leverages man-in the-browser /web injects attack techniques to steal user's banking credentials. The malware generally spreads via unscrupulous attachments or via exploit kits reportedly, Angler Exploit Kit, Nuclear Exploit Kit, and Neutrino Exploit Kit.

Though, the prime targeted sector of this malware is financial sector and crypto currency sites, however it also expand its attack in different organization sectors like social networking sites, search, Email and adults sites.

The malware used different C& C for different sectors but the attack strategy of this malware is more or less same with some minor modification in dynamic configuration like adding of putty.exe in screen process, clearing the cache & cookies, adding of wait time etc.

Once successfully installed, the malware starts queried the victim system to get information like name of antivirus, computer name, spy-ware installed, username, local time etc. and send these information to C2. On the basis of this information, C2 send the obfuscated JSON data to the victim system which contains the URL from where malware download the further commands, web inject data and configuration for itself.

Finally malware start performing unauthorized malicious activities like steeling the banking credentials, generating fraudulent transactions using Automatic Transfer System (ATS), web inject ,installing ransomware, crypto mining etc.

Indicators of compromise:

C&C Server :

  • hxxps://0a109ec2ab47[.]com
  • hxxps://adshiepkhach[.]top
  • hxxps://antrefurniture[.]top
  • hxxps://cotrus[.]co

Countermeasures and Best practices for prevention:

  • Keep the operating system and third party App with the latest patches.
  • Follow safe practices when browsing the web.
  • Application whitelisting/Strict implementation of Software Restriction Policies (SRP) to block binaries running from %APPDATA% and %TEMP% paths. Generally Malware sample drops and executes generally from these locations.
  • Don't open attachments in unsolicited e-mails, even if they come from people in your contact list, and never click on a URL contained in an unsolicited e-mail, even if the link seems benign. In cases of genuine URLs close out the e-mail and go to the organization's website directly through browser.
  • Block the attachments of file types, exe|pif|tmp|url|vb|vbe|scr|reg|cer|pst|cmd|com|bat|dll|dat|hlp|hta|js|wsf.
  • Restrict execution of PowerShell /WSCRIPT in enterprise environment Ensure installation and use of latest version (currently v5.0) of PowerShell, with enhanced logging enabled. Script block logging, and transcription enabled. Send the associated logs to a centralized log repository for monitoring and analysis. References: https://www.fireeye.com/blog/threatresearch/2016/02/greater_visibilityt.html
  • Enabled Windows Defender Application Guard with designated the trusted sites as whitelisted, so that rest all sites will be open in container to block the access to memory, local storage, other installed applications or any other resources of interest to the attacker.
  • Enabled Windows Defender Credential Guard, User Account Control feature to protecting from credential theft attacks, blocking of the automatic installation of unauthorized apps and run the apps , tasks in non-administrative accounts unless administrator specifies.

References: