Popular banking malware Panda Banker, also known as PandaBot and Zeus Panda is reportedly targeting Japan’s financial institutions for the first time.
Arbor Networks researcher Dennis Schwarz says the new space of attacks in the region are most likely the work of a new threat actor or new campaign targeting the country.
Panda Banker works by conducting man-in-the-browser and webinject attacks that define what websites the malware should target and with what methods.
The malware is able to steal user credentials, account numbers and money from financial institutions, Schwarz explains.
An independent security researcher named kafeine adds that Panda Banker is being spread by malicious advertisements, also known as malvertising. The ads are redirecting people to a RIG exploit kit that distributes the malware.
Because the malware is sold as an exploit kit on the dark web and in underground forums, different cybercriminals can use it to target different countries.
The newest version, Panda Banker 2.6.6, was spotted operating in the wild since March 26.
Those criminals target specific countries based on their ability to convert stolen credentials and account details from those countries into real money.
Schwarz says Panda Banker campaigns have also been used to target Australia, Canada, Germany, Italy, the United Kingdom, and the United States.
The latest campaign has so far conducted 27 webinjects across 17 Japanese banking websites and a number of other US-based websites.
“The webinjects in this campaign make use of a ‘grabber’ / automated transfer system (ATS) system known as ‘Full Info Grabber’ to capture credentials and account information. As can be seen in figures above, the threat actor is using a path of ‘jpccgrab’ possibly meaning ‘Japanese credit card grabber’. Given the targeting, this name makes some sense,” Schwarz explains.
He also notes that Japan has been targeted by other banking malware in the past; in October 2017 IBM X-Force spotted an Ursnif campaign that started going after Japanese targets.
The Ursnif (Gozi) banking Trojan has become one of the most prevalent financial malware variants over the last few years. The Trojan went after user credentials related to web mail, cloud storage, cryptocurrency exchange platforms and e-commerce websites.
In 2016, FireEye noted that a banking Trojan called URLZone (also known as Shiotob or Bebloh) started targeting Japan as part of a mass spam campaign to Japanese email users. The spam emails delivered the banking Trojan, which then stole users’ banking credentials.