Threat Spotlight: Panda Banker Trojan Targets the US, Canada and Japan
Panda Banker is a banking trojan which uses a variant of the Zeus source code. First discovered in 2016 , this threat remains active and recently received numerous updates.
Panda Banker injects malicious script code into a target's web page on the victim's browser by using man-in-the-browser techniques. The injected code grabs bank account, credit card, and personal information.
Panda Banker has recently been delivered via Emotet [2, 3, 4]. Panda Banker takes several steps to hide its behavior. Heavy code obfuscation and multi-encryption layering make it difficult to dissect this malware’s C2 communication and malicious scripting.
Panda Banker primarily targets victims in the United States, Canada, and Japan. The malware focuses on bank account, credit card, and web wallet information. The following is a technical overview detailing what our threat research team uncovered.
Panda Banker has a sophisticated attack cycle (Figure 1). It begins by checking the victim’s environment to determine if it is in a sandbox. Next it creates a copy of itself to include extended file attributes. Once complete, the process launches the newly created malware copy before exiting. The new copy creates two svchost.exe processes, then injects itself into them.
Panda Banker gets the C2 URL from configuration data embedded in its payload. It also communicates with the C2 server to obtain additional configuration information. If it finds the process name of a known web browser it injects plugin dll into that web browser to intercept traffic.
Panda Banker waits for the infected browser to visit a target web site (such as a bank or credit card company). When a target site is visited the malware injects a target-specific grabber script to steal bank account, credit card, and personal information:
Figure 1: Panda Banker attack cycle
Panda Banker checks the victim's environment to evade sandbox and manual analysis (Table 1). It looks for packet capture programs, debuggers, disassemblers, and other useful tools for malware analysis. If it discovers these tools in the environment it will exit and delete the payload file: