Story image

New Panda Banker campaign targets Japan's financial institutions

04 Apr 2018

Popular banking malware Panda Banker, also known as PandaBot and Zeus Panda is reportedly targeting Japan’s financial institutions for the first time.

Arbor Networks researcher Dennis Schwarz says the new space of attacks in the region are most likely the work of a new threat actor or new campaign targeting the country.

Panda Banker works by conducting man-in-the-browser and webinject attacks that define what websites the malware should target and with what methods.

The malware is able to steal user credentials, account numbers and money from financial institutions, Schwarz explains.

An independent security researcher named kafeine adds that Panda Banker is being spread by malicious advertisements, also known as malvertising. The ads are redirecting people to a RIG exploit kit that distributes the malware.

Because the malware is sold as an exploit kit on the dark web and in underground forums, different cybercriminals can use it to target different countries.

The newest version, Panda Banker 2.6.6, was spotted operating in the wild since March 26.

Those criminals target specific countries based on their ability to convert stolen credentials and account details from those countries into real money.

Schwarz says Panda Banker campaigns have also been used to target Australia, Canada, Germany, Italy, the United Kingdom, and the United States.

The latest campaign has so far conducted 27 webinjects across 17 Japanese banking websites and a number of other US-based websites.

“The webinjects in this campaign make use of a ‘grabber’ / automated transfer system (ATS) system known as ‘Full Info Grabber’ to capture credentials and account information. As can be seen in figures above, the threat actor is using a path of ‘jpccgrab’ possibly meaning ‘Japanese credit card grabber’. Given the targeting, this name makes some sense,” Schwarz explains.

He also notes that Japan has been targeted by other banking malware in the past; in October 2017 IBM X-Force spotted an Ursnif campaign that started going after Japanese targets.

The Ursnif (Gozi) banking Trojan has become one of the most prevalent financial malware variants over the last few years. The Trojan went after user credentials related to web mail, cloud storage, cryptocurrency exchange platforms and e-commerce websites.

In 2016, FireEye noted that a banking Trojan called URLZone (also known as Shiotob or Bebloh) started targeting Japan as part of a mass spam campaign to Japanese email users. The spam emails delivered the banking Trojan, which then stole users’ banking credentials.

Privacy: The real cost of “free” mobile apps
Sales of location targeted advertising, based on location data provided by apps, is set to reach $30 billion by 2020.
Myth-busting assumptions about identity governance - SailPoint
The identity governance space has evolved and matured over the past 10 years, changing with the world around it.
Forrester names Crowdstrike leader in incident response
The report provides an in-depth evaluation of the top 15 IR service providers across 11 criteria.
Slack doubles down on enterprise key management
EKM adds an extra layer of protection so customers can share conversations, files, and data while still meeting their own risk mitigation requirements.
Security professionals want to return fire – Venafi
Seventy-two percent of professionals surveyed believe nation-states have the right to ‘hack back’ cybercriminals.
Alcatraz AI to replace corporate badges with AI security
The Palo Alto-based startup supposedly leverages facial recognition, 3D sensing, and machine learning to enable secure access control.
Ensign and IronNet partner to create cyber analytics capabilities
The Singapore-based joint venture will form a Cyber Analytics Center for Excellence focused on securing regional enterprises from sophisticated cyber threats.
Unencrypted Gearbest database leaves over 1.5mil shoppers’ records exposed
Depending on the countries and information requirements, the data could give hackers access to online government portals, banking apps, and health insurance records.