Panda Banker

The Panda Banker is a banking Trojan that seems to be related to the Zeus Trojan. The Panda Banker, a recently uncovered banking Trojan, is related to one of the most famous and destructive banking Trojans in history. Zeus is quite an old threat that has spawned countless imitators. The Panda Banker is used to target banks in the United Kingdom and Australia and, like its predecessor is designed to collect the victim's login information and online banking credentials. The Panda Banker integrates more advanced persistence, infection strategies and modules, which makes the Panda Banke a considerable threat to computer users.

The Panda Banker may Collect and Share Information Collected from the Affected PC

The Panda Banker was first observed on March 10. The Panda Banker is spread using corrupted email attachments in the form of corrupted Microsoft Word files that are appended to phishing email messages. These Microsoft Office files may take advantage of two known vulnerabilities which have been around for several years, CVE-2014-1761 and CVE-2012-0158. They abuse support for macros in the Microsoft Office to execute corrupted code on the victim's computer. Corrupted emails associated with the Panda Banker also may use social engineering tactics to trick inexperienced computer users into downloading and executing the compromised file.

When the Panda Banker infects a computer, it gathers data about the infected computer and relays it to a remote server. An identifying marker is created for the infected computer to differentiate it from the countless other computers affected by the Panda Banker. The Panda Banker will relay information on the infected computer's name, installed security software, operating system information, its user's name, the time on the affected computer and a variety of other details. The Command and Control server responds with configuration settings contained in a '.json' file that contains additional Command and Control server domains and a list of websites that may be targeted by the Panda Banker infection.

How the Panda Banker Works

The websites contained in the Panda Banker's configuration files are banking portals for some of the most popular banks in Australia and the United Kingdom. Some banks targeted by the Panda Banker include Santander Bank, Bank of Scotland, Lloyds Bank, Halifax UK and TSB. When the victim connects to the banks' website, the Panda Banker activates and hijacks the victim's Web browser to collect the victim's online banking credentials. This is a tactic that was seen in the Zeus Trojan attacks and is highly effective in collecting the computer user's online accounts.

Observing the Panda Banker Attacks In the Wild

The Panda Banker is distributed in a variety of ways apart from the use of corrupted Word files. Three exploit kits have been associated with the Panda Banker attacks, which were downloaded from compromised websites and attack domains. These three exploit kits, Angler, Nuclear and Neutrino, may exploit vulnerabilities on the victim's computer to install the Panda Banker. This threat campaign uses geo-location to ensure that only computer users in Australia and the United Kingdom become infected with the Panda Banker.

Threats Derived from Zeus may be Very Destructive

Banking Trojans associated with Zeus have been responsible for billions of dollars in losses around the world. More importantly, the Panda Banker and other banking Trojans may work together with rootkits, ransomware, and other types of threats to carry out additional attacks on unsuspecting victims. Therefore, it is no surprise that these threats have continued to thrive. One must not forget that Zeus, despite being quite old by the time of the release of the Panda Banker, is a highly effective banking Trojan. Marrying many of its characteristics with more sophisticated methods for persisting in and infiltrating a victim's computer may make the Panda Banker and other attacks derived from Zeus quite formidable.

SpyHunter Detects & Remove Panda Banker