A group of attackers is using a combination of Google search-engine optimization (SEO) for banking-related keywords, compromised websites, and malicious Word macros to infect users with the Zeus Panda bank credential stealer.
Attackers have used SEO poisoning in the past to spread malware, but this group is using the technique in a particularly crafty manner to ensure malicious links are seen by people who regularly use a specific bank, essentially profiling victims before infection.
Researchers at Cisco's Talos security team discovered the campaign and have highlighted the keyword searches being targeted.
The terms suggest they're targeting customers of Nordea Sweden, the State Bank of India, India's Bank of Barodia and Axis Bank, the Commonwealth Bank of Australia, and Saudi Arabia's Al Rajhi Bank. They're also targeting users who are searching for details about the SWIFT banking network.
Notably, once a system is infected, the malware won't activate if it detects a keyboard's mapping is Russian, Belarusian, Kazak, and Ukrainian. Hackers often avoid targeting users from the jurisdiction in which they operate to avoid attracting attention from local law enforcement.
The attackers first compromised a series of genuine business websites, and then optimized them to appear at the top of organic Google search results for certain search terms.
According to Cisco, the attackers were able to get their poisoned results displayed several times on page one of Google's Search Engine Results Page.
The search terms included:
From here, the attackers rely on social engineering to trick the user to enable macro code to run. Macros are disabled by default and Microsoft recommends it's kept that way, in particular for documents from untrusted sources, such as the internet.
When the Word document is opened it displays the message: "To view this content, please click 'Enable Editing' from the yellow bar and then click 'Enable Content'".
This instruction probably refers to the yellow security warning Office displays when it detects a file with macros in it. The warning states that "Macros have been disabled" next to an "Enable Content" button.
If the user does enable it, the malicious macro will download an executable that infects the system with Zeus Panda.
IT leader's guide to the threat of fileless malware [Tech Pro Research]
This ebook looks at what it is, how it could affect your organization, and ways you can protect against infections, reduce exposure, and prevent the damage from spreading to other networked systems.
CoreBot banking trojan malware returns after two-year break
Malware steals login details of online banking customers of TD, Des-Jardins, RBC, Scotia Bank, and Banque National in Canada.
This Android banking malware steals data by exploiting smartphone accessibility services
The notorious Svpeng malware takes advantage of an Android function designed to help people with disabilities use their phone.