Story image

New Panda Banker campaign targets Japan's financial institutions

04 Apr 18

Popular banking malware Panda Banker, also known as PandaBot and Zeus Panda is reportedly targeting Japan’s financial institutions for the first time.

Arbor Networks researcher Dennis Schwarz says the new space of attacks in the region are most likely the work of a new threat actor or new campaign targeting the country.

Panda Banker works by conducting man-in-the-browser and webinject attacks that define what websites the malware should target and with what methods.

The malware is able to steal user credentials, account numbers and money from financial institutions, Schwarz explains.

An independent security researcher named kafeine adds that Panda Banker is being spread by malicious advertisements, also known as malvertising. The ads are redirecting people to a RIG exploit kit that distributes the malware.

Because the malware is sold as an exploit kit on the dark web and in underground forums, different cybercriminals can use it to target different countries.

The newest version, Panda Banker 2.6.6, was spotted operating in the wild since March 26.

Those criminals target specific countries based on their ability to convert stolen credentials and account details from those countries into real money.

Schwarz says Panda Banker campaigns have also been used to target Australia, Canada, Germany, Italy, the United Kingdom, and the United States.

The latest campaign has so far conducted 27 webinjects across 17 Japanese banking websites and a number of other US-based websites.

“The webinjects in this campaign make use of a ‘grabber’ / automated transfer system (ATS) system known as ‘Full Info Grabber’ to capture credentials and account information. As can be seen in figures above, the threat actor is using a path of ‘jpccgrab’ possibly meaning ‘Japanese credit card grabber’. Given the targeting, this name makes some sense,” Schwarz explains.

He also notes that Japan has been targeted by other banking malware in the past; in October 2017 IBM X-Force spotted an Ursnif campaign that started going after Japanese targets.

The Ursnif (Gozi) banking Trojan has become one of the most prevalent financial malware variants over the last few years. The Trojan went after user credentials related to web mail, cloud storage, cryptocurrency exchange platforms and e-commerce websites.

In 2016, FireEye noted that a banking Trojan called URLZone (also known as Shiotob or Bebloh) started targeting Japan as part of a mass spam campaign to Japanese email users. The spam emails delivered the banking Trojan, which then stole users’ banking credentials.

Hillstone CTO's 2019 security predictions
Hillstone Networks CTO Tim Liu shares what key developments could be expected in the areas of security compliance, cloud, security, AI and IoT.
Can it be trusted? Huawei’s founder speaks out
Ren Zhengfei spoke candidly in a recent media roundtable about security, 5G, his daughter’s detainment, the USA, and the West’s perception of Huawei.
Oracle Java Card update boosts security for IoT devices
"Java Card 3.1 is very significant to the Internet of Things, bringing interoperability, security and flexibility to a fast-growing market currently lacking high-security and flexible edge security solutions."
Sophos hires ex-McAfee SVP Gavin Struther
After 16 years as the APAC senior vice president and president for McAfee, Struthers is now heading the APJ arm of Sophos.
Half of companies unable to detect IoT device breaches
A Gemalto study also shows that the of blockchain technology to help secure IoT data, services and devices has doubled in a year.
Huawei founder publically denies spying allegations
“After all the evidence is made public, we will rely on the justice system.”
Malware downloader on the rise in Check Point’s latest Threat Index
Organisations continue to be targeted by cryptominers, despite an overall drop in value across all cryptocurrencies in 2018.
IoT breaches: Nearly half of businesses still can’t detect them
The Internet of Thing’s (IoT’s) rapid rise to prominence may have compromised its security, if a new report from Gemalto is anything to go by.