Panda Banker Trojan becomes part of Emotet threat distribution platform

The Zeus variant is now actively targeting organizations in the US, Canada, and Japan.
Written by Charlie Osborne, Contributing Writer

The Panda banking Trojan, used to steal money from organizations worldwide, is now being distributed through the Emotet threat platform.

According to researchers from Cylance, Panda Banker, a variant of the Zeus banking malware, is still an active threat over two years after discovery.

The Zeus spin-off is used in targeted phishing attacks conducted over email, as well as attacks launched via exploit kits including Angler, Nuclear, and Neutrino.

Cyberattackers utilizing the malware often embed the malicious code in crafted Microsoft documents, designed to deploy the payload through macros.

Once Panda Banker has compromised a victim machine, the malware connects to a command-and-control (C2) server and sends along information including the OS version, latency, local time, computer name, data relating to any antivirus software which has been installed, and what firewalls are in operation.

This information is also used to check to see if the Trojan is operating in a sandbox environment, often used by researchers to dissect malware families and their internal code.

See also: 'Father of Zeus' Kronos malware exploits Office bug to hijack your bank account

The Trojan then creates a copy of itself which, in turn, creates two svchost.exe processes which are imbued with the Trojan.

Panda Banker also scans the system to find any known web browsers in use. If they are discovered, the Trojan injects a plugin which intercepts user traffic.

The malware will lie in wait until such time as a user visits a target website, such as an online banking system or credit card company. A script is then deployed to grab bank and credit card data, account credentials, and personal information, which is fed back to the C2 and can later be used to plunder financial accounts.

The malware has gone through a number of evolutions of late. The malware has been bolstered with a number of heavy code obfuscation techniques and multi-encryption layering and is now also being delivered through Emotet.

Emotet was once the name issued to a banking Trojan in its own right which was active in Europe for a number of years. However, the group behind Emotet, dubbed Mealybug, has pivoted Emotet towards threat distribution in recent years.

"Because it can self-propagate, Emotet presents a particular challenge for organizations," Symantec researchers say. "Network worms have been experiencing a kind of renaissance, with notable examples like WannaCry and Petya/NotPetya. Network spreading also means that victims can become infected without ever clicking on a malicious link or downloading a malicious attachment."

TechRepublic: Evrial Trojan can steal what's saved on your Windows Clipboard, including Bitcoins

Emotet, acting as a distribution and packer system for other malware, is able to brute-force PCs on a compromised network as well as generate emails in the name of a compromised account, placing business users on a corporate network, as well as the general public, at risk.

In 2017, Emotet was observed deploying the IcedID banking Trojan, alongside the Trickybot and Ransom.UmbreCrypt ransomware variants.

Panda Banker began its criminal path by targeting victims in Japan. While the malware is still active in the country, the Trojan has now also been located in the US and Canada.

CNET: Chinese trojan detected spreading through fake base stations

In total, at least one video streaming service, one pornography website, 11 credit card firms, and one e-commerce platform have been attacked in Japan. In Canada, nine banks have become the target of Panda Banker, and a total of eight banking companies, two payroll systems, and one blockchain firm have been targeted in the United States.

"The malware focused primarily on stealing bank account and credit card information, as well as personal information in payroll systems," Cylance says. "Web wallet and blockchain information were also targeted."

The deployment of Panda Banker through Emotet is unsurprising and shows that the Trojan still holds an active user base. As cybersecurity firms battle on to combat the latest threats and organizations begin to recognize the true potential for damage malware infestations can cause, any distribution platform which may increase the rate of success is something criminals will invest in.

The worst cyberattacks undertaken by nation-state hackers

Previous and related coverage

Editorial standards