A new Zeus Trojan variant dubbed Panda Banker has been specially crafted to target users of 10 major Brazilian banks, but also other locally popular services.
“Zeus Panda’s Brazilian configuration file has a notable local hue. Aside from including the URLs of major banks in the country, Panda’s operators are also interested in infecting users who access delivery services for a Brazilian supermarket chain, local law enforcement websites, local network security hardware vendors, Boleto payments and a loyalty program specific to Brazil-based commerce,” IBM researchers have found.
“Other targets include customer logins to a company that offers ATM management services and secure physical access technology for banks.”
The malware has been built by using the Zeus source code leaked in 2011, and modified to suit the purpose of targeting Brazilian users.
The malware’s capabilities are nothing out of the ordinary: it can steal login credentials on the fly and inject malicious code into ongoing web sessions (to show bogus web forms for users to fill out with sensitive information).
But, according to the researchers, the malware is definitely “a major step up from the malicious Delphi-based malcode that’s so typical in the country.”
“Panda’s operators’ favored fraud methodology is account takeover, in which victim credentials are stolen and then used to initiate a transaction from another device. The victim is held online by deceptive pop-up windows that require one-time passwords and allow the attacker to complete a fraudulent transaction in real time,” they added.
They believe that the group behind this scheme is a well-organized, professional cybercrime outfit and that at least some of its members are located in Brazil. But they are not the authors of the malware – the real author sells it on dark web forums, in cybercrime-as-a-service packages modified to fit the criminals’ needs.
The gang distributes the Trojan via exploit kits and spam emails carrying booby-trapped Word documents, and the country’s population (over 200 million) is definitely a wide enough target for “generic” attacks. Still, the criminals have also been spotted targeting company email addresses with specially crafted, personalized emails.