Story image

New Panda Banker campaign targets Japan's financial institutions

04 Apr 18

Popular banking malware Panda Banker, also known as PandaBot and Zeus Panda is reportedly targeting Japan’s financial institutions for the first time.

Arbor Networks researcher Dennis Schwarz says the new space of attacks in the region are most likely the work of a new threat actor or new campaign targeting the country.

Panda Banker works by conducting man-in-the-browser and webinject attacks that define what websites the malware should target and with what methods.

The malware is able to steal user credentials, account numbers and money from financial institutions, Schwarz explains.

An independent security researcher named kafeine adds that Panda Banker is being spread by malicious advertisements, also known as malvertising. The ads are redirecting people to a RIG exploit kit that distributes the malware.

Because the malware is sold as an exploit kit on the dark web and in underground forums, different cybercriminals can use it to target different countries.

The newest version, Panda Banker 2.6.6, was spotted operating in the wild since March 26.

Those criminals target specific countries based on their ability to convert stolen credentials and account details from those countries into real money.

Schwarz says Panda Banker campaigns have also been used to target Australia, Canada, Germany, Italy, the United Kingdom, and the United States.

The latest campaign has so far conducted 27 webinjects across 17 Japanese banking websites and a number of other US-based websites.

“The webinjects in this campaign make use of a ‘grabber’ / automated transfer system (ATS) system known as ‘Full Info Grabber’ to capture credentials and account information. As can be seen in figures above, the threat actor is using a path of ‘jpccgrab’ possibly meaning ‘Japanese credit card grabber’. Given the targeting, this name makes some sense,” Schwarz explains.

He also notes that Japan has been targeted by other banking malware in the past; in October 2017 IBM X-Force spotted an Ursnif campaign that started going after Japanese targets.

The Ursnif (Gozi) banking Trojan has become one of the most prevalent financial malware variants over the last few years. The Trojan went after user credentials related to web mail, cloud storage, cryptocurrency exchange platforms and e-commerce websites.

In 2016, FireEye noted that a banking Trojan called URLZone (also known as Shiotob or Bebloh) started targeting Japan as part of a mass spam campaign to Japanese email users. The spam emails delivered the banking Trojan, which then stole users’ banking credentials.

Palo Alto Networks integrates RedLock and VM-Series with AWS Security Hub
AWS Security Hub is designed to provide users with a comprehensive view of their high-priority security alerts and compliance status.
Juniper simplifies data integration to improve threat detection
Updates to the Juniper Advanced Threat Prevention Appliances leverage third-party firewalls and security data sources.
Is mobile shopping compromising your enterprise security?
When employees do their holiday shopping on company resources, security teams have a challenge with the surge in browsing and online transactions.
Different approach to malware detection needed – VMware
Security needs to move away from the traditional approach of chasing after arbitrary forms of malware.
Modernising ERP systems can help organisations comply with GDPR
“Organisations need to look for modern ERP systems that are specifically designed with GDPR in mind."
Cyber attacks develop complexity, target Windows sysad tools - report
The report explores changes in the threat landscape over the past year, uncovering trends and how they are expected to impact cybersecurity in 2019.
DanaBot banking Trojan: How to protect your organisation
DanaBot is a Trojan written in the Delphi programming language that includes banking site web injections and stealer functions.
Ping Identity announces new Identity-as-a-Service solution
PingOne for Customers is built for the developer community and provides API-based identity services for customer-facing applications.