A new Trojan called the Panda Banker and which is believed to be the offspring of the infamous Zeus malware was recently discovered in one massive infection campaign which saw millions of spam emails sent to the potential victims. The malware was discovered by researchers at the security firm, Proofpoint.
The Trojan was recently seen in early August shifting its focus towards Brazil, probably in anticipation of the Rio 2016 games. Before that the Trojan had been targeting the banks situated in Europe and North America. Ahead of the Rio 2016 games, a campaign by the malware developers targeted 10 local banks and some of the payment platforms in Brazil. Proofpoint noted that the malware which is also known as the Zeus Panda in some circles had grown significantly.
The Trojan was initially spread through spam emails and various exploit kits, and it was believed it targeted the UK and Australian banks. Researchers say that the malware has become more relevant in recent weeks. They managed to observe a large infection campaign which was aimed at European and Australian banks. The campaign also targeted the UK online casinos and their international payment systems.
August 11 and 12 saw the owners of the malware send out millions of messages to various targeted organizations in the manufacturing, retail, insurance and several other industries. The emails were supposedly coming from real banks but they rather contained malicious links which led to Microsoft Word documents. The macros contained in these documents were the ones which contained the malware and would download the banking Trojan onto the victim’s devices.
The security researchers also managed to discover that the message which was used during the campaign was then translated to various other languages including Dutch, German, Italian and English. The language used depended on the targeted country.
The Panda Trojan is similar to other banking Trojans in that it uses the web injects to intercept the online banking traffic. These are the ones which are specifically designed to target specific banks and research showed that they were intended for banks that are in the Netherlands, Italy and Germany. The web injects which are used on the Panda Trojan when compared to the previous Trojans also show that they have been substantially expanded.
This might be because of the expansion into casinos and the international payment systems such as Paypal, OkPay and Xoom. Therefore the attack potent of the Panda Trojan has increased because such international payment systems such as Paypal are not limited by geography such as traditional banks.
There has been a Panda Banker malware variant before and if the two are compared there seems to be no significant changes except for the web injects and configuration file encryption. Panda Banker is believed to have come out from the Zeus Trojan which many believe to be one of the most successful banking Trojans.