Story image

New Panda Banker campaign targets Japan's financial institutions

04 Apr 2018

Popular banking malware Panda Banker, also known as PandaBot and Zeus Panda is reportedly targeting Japan’s financial institutions for the first time.

Arbor Networks researcher Dennis Schwarz says the new space of attacks in the region are most likely the work of a new threat actor or new campaign targeting the country.

Panda Banker works by conducting man-in-the-browser and webinject attacks that define what websites the malware should target and with what methods.

The malware is able to steal user credentials, account numbers and money from financial institutions, Schwarz explains.

An independent security researcher named kafeine adds that Panda Banker is being spread by malicious advertisements, also known as malvertising. The ads are redirecting people to a RIG exploit kit that distributes the malware.

Because the malware is sold as an exploit kit on the dark web and in underground forums, different cybercriminals can use it to target different countries.

The newest version, Panda Banker 2.6.6, was spotted operating in the wild since March 26.

Those criminals target specific countries based on their ability to convert stolen credentials and account details from those countries into real money.

Schwarz says Panda Banker campaigns have also been used to target Australia, Canada, Germany, Italy, the United Kingdom, and the United States.

The latest campaign has so far conducted 27 webinjects across 17 Japanese banking websites and a number of other US-based websites.

“The webinjects in this campaign make use of a ‘grabber’ / automated transfer system (ATS) system known as ‘Full Info Grabber’ to capture credentials and account information. As can be seen in figures above, the threat actor is using a path of ‘jpccgrab’ possibly meaning ‘Japanese credit card grabber’. Given the targeting, this name makes some sense,” Schwarz explains.

He also notes that Japan has been targeted by other banking malware in the past; in October 2017 IBM X-Force spotted an Ursnif campaign that started going after Japanese targets.

The Ursnif (Gozi) banking Trojan has become one of the most prevalent financial malware variants over the last few years. The Trojan went after user credentials related to web mail, cloud storage, cryptocurrency exchange platforms and e-commerce websites.

In 2016, FireEye noted that a banking Trojan called URLZone (also known as Shiotob or Bebloh) started targeting Japan as part of a mass spam campaign to Japanese email users. The spam emails delivered the banking Trojan, which then stole users’ banking credentials.

ESET researchers break down latest arsenal of the infamous Sednit group
At the end of August 2018, the Sednit group launched a spear-phishing email campaign, in which it distributed shortened URLs that delivered first-stage Zebrocy components.
Container survey shows adoption accelerating while security concerns remain top of mind
The report features insights from over 500 IT professionals.
Google 'will do better' after G Suite passwords exposed since 2005
Fourteen years is a long time for sensitive information like usernames and passwords to be sitting ducks, unencrypted and at risk of theft and corruption.
Fake apps on Google Play scamming users out of cryptocurrency
Fake cryptocurrency apps on Google Play have been discovered to be phishing and scamming users out of cryptocurrency, according to a new report from ESET.
Hackbusters! Reviewing 90 days of cybersecurity incident response cases
While there are occasionally very advanced new threats, these are massively outnumbered by common-or-garden email fraud, ransomware attacks and well-worn old exploits.
SEGA turns to Palo Alto Networks for cybersecurity protection
When one of the world’s largest video game pioneers wanted to strengthen its IT defences against cyber threats, it started with firewalls and real-time threat intelligence from Palo Alto Networks.
Forrester names Trend Micro Leader in email security
TrendMicro earned the highest score for technology leadership, deployment options and cloud integration.
LogRhythm releases cloud-based SIEM solution
LogRhythm Cloud provides the same feature set and user experience as its on-prem experience.