If you have received an invoice in your mail, take extra care.
The reason we warn you is the fact that in The Netherlands, we have spotted a massive spam campaign, that is using the Panda Banking Trojan to steal financial information.
The spam campaign seems to use LinkedIn records as input for the target list, if this is truly the case – we can be certain that in the future we will see similar spam attacks, using the same target list.
We have noticed that new email addresses have been used in this campaign, and we are currently not aware how the attackers retrieved these email addresses and/or were able to connect these to the relevant LinkedIn accounts.
Panda Banking Trojan
Banking Trojans are trojans that allow the threat actors to take full control of the infected device. Once the Panda Banking Trojan is installed on the target device, the target device will start performing unwanted actions like:
- Collecting documents
- Collecting credentials
- Scanning the network to see if further access is possible
- Sending out spam mail
However, that is not all, the researchers from Proofpoint took a deep dive in the architecture of the Panda Banking Trojan and they found out that the Panda Banking Trojan is capable of sending out the following infection “health” statistics:
- System uptime
- The process in which the malware is running
- The current user name
- A unique id for the infection
- The botnet name
- The botnet version (currently 2.1.3)
- OS version information
- Local time
- Computer name
- The name of antivirus software installed
- Installed anti-spyware
- The installed firewall
The Panda Banking Trojan has the following identities provided by the antivirus companies:
- AegisLab Troj.Ad.Inject.Y!c
- AhnLab-V3 Trojan/Win32.MDA
- ALYac Spyware.Banker.panda
- Arcabit Trojan.Generic.DFA3404
- AVG Zbot.ANCF
- Avira (no cloud) TR/AD.Inject.Y.wsvj
- Bkav W32.Clod6aa.Trojan.6390
- Cyren W32/Trojan.HXXB-5627
- DrWeb Trojan.MulDrop6.37657
- ESET-NOD32 Win32/Spy.Zbot.ACM
- Fortinet W32/Zbot.ACM!tr.spy
- Ikarus Trojan-Spy.Agent
- Jiangmin Trojan.Banker.Banker2.q
- K7AntiVirus Spyware ( 004dcbc41 )
- K7GW Spyware ( 004dcbc41 )
- Kaspersky Trojan-Banker.Win32.Banker2.crn
- Malwarebytes Trojan.Zbot
- McAfee PWS-FCFZ!A181627930C7
- McAfee-GW-Edition PWS-FCFZ!A181627930C7
- Microsoft Trojan:Win32/Dynamer!ac
- NANO-Antivirus Trojan.Win32.MulDrop6.ebsjee
- nProtect Trojan.Generic.16397316
- Panda Trj/Banker.KHW
- Qihoo-360 HEUR/QVM09.0.Malware.Gen
- Rising Spyware.Zbot!8.16B-CIUWKoUDWaL (Cloud)
- Symantec Trojan.Exedapan
- Tencent Win32.Trojan.Bp-generic.Wpav
- TrendMicro TSPY_ZBOT.YUYAPP
- TrendMicro-HouseCall TSPY_ZBOT.YUYAPP
- ViRobot Trojan.Win32.Inject.286720[h]
- Yandex TrojanSpy.Zbot!vRd6kDkf7lA
- Zillya Trojan.Zbot.Win32.195282
Extra Panda Banker samples:
The spam campaign
The spam campaign uses a document to lure unaware users into downloading the malicious file. The target receives an email that claims to be an invoice.
The email contains a .doc attachment, which also contains a Macro script that will download the Panda Banking Trojan to the computer.
From what we were able to see, the spam campaign in The Netherlands used the following domains to operate:
The ledpronto.com site hosted the Panda Banking Trojan in the following file:
Example IP addresses used to send the spam (mainly Russian IP addresses):
We also noticed that the Panda Banking Trojan spam campaign is using the following email hostname:
The chance is very high that legitimate but hacked t-online.de emails accounts are used to send the spam. We don’t know how the attackers got in possession of these accounts.
What do you need to do
The chance is very big that you will also be targeted, so there are some tips and tricks that will allow you to stay safe against these type of attacks.
Do not simply execute MACROs
MACRO scripts are pieces of code which can be implemented in office documents like Excel and Word documents – these MACRO scripts are pieces of code which perform tasks in the background once enabled in the Excel or Word environment.
Cybercriminals and hackers are using the MACRO technique to download malicious files in the background – they used this technique because it allows them to stay under the radar of antivirus products.
So if you have to enable MACRO to view / read a file – the there is a chance that something will run on the background. Keep that in mind when you receive a document, which requires MACRO execution.
If you have download and executed the malicious file, then make sure to contact your IT-administrator or the IT-security administrator. If it is your private device which has been infected – we strongly recommend you to disconnect your device from the internet and to call a friend that is capable of running an antivirus program (and additional cleanup tools) on your device.
The Redsocks MTD is capable of identifying the Panda Banking Trojan, which is used in the massive spam campaign.