Delaware, USA – May 14, 2018 – Panda banking trojan was created two years ago based on the code of the infamous Zeus trojan, and it is actively used in attacks on financial organizations across the globe. This month Researchers from F5 discovered several campaigns spreading this trojan, they think all these attacks were conducted by the same hacker group. In recent campaigns, adversaries expanded their list of targets, now they are also interested in cryptocurrency sites, as well as social media platforms. Attackers switched to using HTTPS as command and control servers to hide their malicious activity from intrusion inspection controls. Panda botnet “2.6.8” conducted two campaigns against organizations in North America and Japan. Also, adversaries launched the simultaneous campaign against financial institutions in Ecuador, Colombia and Argentina using botnet “Cosmos 3”. Each attack used a separate infrastructure and the banking trojan was slightly modified for each campaign.
Panda malware uses webinjects technique, spies on user activity taking screenshots and sending them to the C&C server, and allows “Man-in-the-browser” attacks. To detect the trojan, it is necessary to regularly update your anti-virus software and implement security solutions to control traffic in the organization’s network. You can use your SIEM and Netflow Security Monitor to detect suspicious traffic surges that may indicate data exfiltration or communications with C&C server.