Panda Banker

The Panda Banker is a banking Trojan that may compromise your Web-browsing activities for such purposes as initiating fraudulent cash transactions and collecting login data. The Panda Banker campaign has targeted employees across various industries, ranging from financial institutions to manufacturing companies, and uses traditional infection vectors: e-mail attachments and exploit kits. Always use your installed anti-malware products for deleting the Panda Banker, which utilizes components mimicking essential Windows files and modifies other parts of Windows arbitrarily.

The Panda Banker: the Misappropriation Spree that's in No Danger of Going Extinct

The success of the Keylogger Zeus, along with the relative availability of its code, is responsible for the proliferation of 'spinoff' Trojans accomplishing similar attacks with minor, personal tweaks. The Panda Banker is only the latest copy of this threat, utilizing internal structures very similar to its predecessor. Although the Panda Banker targets employees at various business entities in the UK and Australia, its payload collects information from their in-use bank accounts, rather than targeting internal company data.

Malware researchers verified the Panda Banker's use of traditional infection methods, including both e-mail-distributed, corrupted macro documents, as well as multiple types of exploit kits. The latter include the Angler Exploit Kit, the Neutrino Exploit Kit and the Nuclear Exploit Kit. In cases where the misleading text is insufficient at forcing the victim to enable the macro-based install mechanism, other vulnerabilities also are used, such as the system state corruption popularly referenced as a 'MSCOMCTL.OCX RCE Vulnerability.'

A complete installation places the Panda Banker in a position to generate multiple SVCHOST processes, along with an accompanying mutex, new files and new Registry entries. While the Panda Banker does transfer some system information to its administrators, including data about any installed security services, its primary payload is injecting threatening HTML content into banking Web pages. This 'Man in the Middle' or MitM style attack, made infamous by Keylogger Zeus, lets the Panda Banker collect bank login information while the websites are in use.

Snatching Your Bank Accounts Back from the Jaws of a Burgeoning Predator

Although the Panda Banker's authors have taken precautions to limit their attacks to specific regions, including only targeting bank domains popular in certain countries, the same methodology as the Panda Banker's payload is in use by spyware throughout the world. As usual, there are no distinct symptoms found in the Panda Banker's data-harvesting attacks, except for the trivial changes to system resources. Unless you've taken steps for hampering its execution, such as booting from a removable drive, always assume that the Panda Banker is operating in memory on an infected PC.

The Panda Banker does collect general system information, which it transfers to its Command & Control servers as part of its overall bot organization routine. However, the primary danger from the Panda Banker always lies in its ability to give third parties access to your bank accounts, potentially enabling fraudulent money transferral. Businesses that experience any bank transactions symptomatic of the Panda Banker or other banking Trojans should use anti-malware products to verify that all computers used for online banking purposes are uninfected.

Malware experts also took note of internal communications between the Panda Banker infections and the Russian search site, Yandex. However, there is no evidence clearly linking the website's team to the Panda Banker campaign, and, so far, any communications may have been intended for testing purposes only.

Technical Details