Researchers from Proofpoint, a cyber security company, reported about a new banking trojan, Panda Banker, developed based on the source code of the notorious Zeus.
According to the Proofpoint, Incorporation, the Malicious software is distributed via phishing emails and using sets of exploits.
New Banking Trojan Panda Banker Based On Zeus Source Code
On March 10 of this year, experts recorded a spam campaign aimed at members of the media and production companies.
Phishing emails contained a malicious document that exploits the vulnerability CVE-2014-1761 and CVE-2012-0158 to download Panda Banker from a remote server.
On March 19, researchers found another campaign; this time, attackers focused on financial organizations. The Malicious documents contain macros that download a loader known as Godzilla, and the loader Godzilla starts downloading the banking trojan Panda Banker.
According to the experts of cyber security company Proofpoint, in March of this year 2016, the Trojans also distributed three sets of popular exploits: Angler, Nuclear, and Neutrino RTOS, aimed at organizations in Australia and the UK to deliver their trojan to unsuspecting victims.
Once the malware infects the victim’s system, the Panda Banker performs the command to get control of the C & C-server and transmit data on the compromised device, including using anti-virus solutions and firewalls.
Banking trojan Panda Banker responds with a configuration file in JSON format with the list of C&C domains and the list of websites where the banking trojan Panda Banker could insert the malicious code.
Cyber security company Proofpoint, Incorporation has also noticed that this banking trojan Panda Banker was targeting the clients of banks like Halifax UK (Bank of UK), Lloyds Bank, TSB, Bank of Scotland, and Santander Bank. The analysis Panda Banker researchers found many similarities with the banking trojan Zeus.
Created mutexes malware files, folders, and registry keys that were the same as that of Zeus. To conceal the real IP addresses of their servers behind Panda Banker, attackers used a flux DNS technique, which was also used in attacks with Zeus.