anti-spam

WARNING: Massive Panda banking trojan spam campaign is currently active

If you have received an invoice in your mail, take extra care.

The reason we warn you is the fact that in The Netherlands, we have spotted a massive spam campaign, that is using the Panda Banking Trojan to steal financial information.

The spam campaign seems to use LinkedIn records as input for the target list, if this is truly the case – we can be certain that in the future we will see similar spam attacks, using the same target list.

We have noticed that new email addresses have been used in this campaign, and we are currently not aware how the attackers retrieved these email addresses and/or were able to connect these to the relevant LinkedIn accounts.

Redsocks panda

Panda Banking Trojan

Banking Trojans are trojans that allow the threat actors to take full control of the infected device. Once the Panda Banking Trojan is installed on the target device, the target device will start performing unwanted actions like:

  • Collecting documents
  • Collecting credentials
  • Scanning the network to see if further access is possible
  • Sending out spam mail

However, that is not all, the researchers from Proofpoint[1] took a deep dive in the architecture of the Panda Banking Trojan and they found out that the Panda Banking Trojan is capable of sending out the following infection “health” statistics:

  • System uptime
  • The process in which the malware is running
  • The current user name
  • A unique id for the infection
  • The botnet name
  • The botnet version (currently 2.1.3)
  • OS version information
  • Latency
  • Local time
  • Computer name
  • The name of antivirus software installed
  • Installed anti-spyware
  • The installed firewall

The Panda Banking Trojan has the following identities provided by the antivirus companies:

  • AegisLab Troj.Ad.Inject.Y!c
  • AhnLab-V3 Trojan/Win32.MDA
  • ALYac Spyware.Banker.panda
  • Arcabit Trojan.Generic.DFA3404
  • AVG Zbot.ANCF
  • Avira (no cloud) TR/AD.Inject.Y.wsvj
  • Bkav W32.Clod6aa.Trojan.6390
  • Cyren W32/Trojan.HXXB-5627
  • DrWeb Trojan.MulDrop6.37657
  • ESET-NOD32 Win32/Spy.Zbot.ACM
  • Fortinet W32/Zbot.ACM!tr.spy
  • Ikarus Trojan-Spy.Agent
  • Jiangmin Trojan.Banker.Banker2.q
  • K7AntiVirus Spyware ( 004dcbc41 )
  • K7GW Spyware ( 004dcbc41 )
  • Kaspersky Trojan-Banker.Win32.Banker2.crn
  • Malwarebytes Trojan.Zbot
  • McAfee PWS-FCFZ!A181627930C7
  • McAfee-GW-Edition PWS-FCFZ!A181627930C7
  • Microsoft Trojan:Win32/Dynamer!ac
  • NANO-Antivirus Trojan.Win32.MulDrop6.ebsjee
  • nProtect Trojan.Generic.16397316
  • Panda Trj/Banker.KHW
  • Qihoo-360 HEUR/QVM09.0.Malware.Gen
  • Rising Spyware.Zbot!8.16B-CIUWKoUDWaL (Cloud)
  • Symantec Trojan.Exedapan
  • Tencent Win32.Trojan.Bp-generic.Wpav
  • TrendMicro TSPY_ZBOT.YUYAPP
  • TrendMicro-HouseCall TSPY_ZBOT.YUYAPP
  • ViRobot Trojan.Win32.Inject.286720[h]
  • Yandex TrojanSpy.Zbot!vRd6kDkf7lA
  • Zillya Trojan.Zbot.Win32.195282

Extra Panda Banker samples:

  1. 0248fa64be66e6f42fa5f0d9d1ad2acc3aec7cda80af96c549bc01fd694cfac6
  2. 4fb4b8b15c3fa47bb74fd05f46e21a1088da129ff1275ba23ec3796c167458cf
  3. 26aeb612dd53edca3a774e0b30d3897b3642097bb7119e0251f7f5184ea1faa1
  4. d4cc3c5adf91230aceeccd214007601dd19bd06a7df1941af0b67b1075f5c852
  5. 02428ce1cd6762640d83b5817bb774bdaa0d4ae53fb94e6a8021cf098144b573
  6. 024d93c6a6f457c705122131605fd12967bb8d950262578b3bcec68f04269eb7
  7. 02431f25e5b5f2100787c7caad256aa6477ed41095480205fb0c9aa0fabf4c64
  8. b07b2289b312835053209d23e8351d2e26b288b8c2c37371aab3dbad6d0dcc43
  9. 0248ead5ba403dbd01f43e95641f82a5ee21f2361cbc0cb94bf90038802c0e47
  10. 02431281b350ea9e6445176f69c8aae1c7bd9000c6155c9806c5a19394462fa0
  11. 9f4dfebf745b8950a531e08321280ef48b2d79a818f6add50fed0cef8b153f78
  12. 0246ca4889e9684852c213a6edefeb3037ab3ab0691596c37b0888dd112543e5
  13. 0240cade8adfcd8f551acb56a6c4a143377fda7299cdd7b14bcdbb38b011ea15
  14. e2e39996a0c50efb55a21eb4a5e3dedfdd5fe6ab4625564bf8251f42fac679e2
  15. 02440fbe9cb59b2290fa15884b8753463fce80f787326f040a059628bad63bfd
  16. 75da38f017bf1d74db74ab10769016e7a77eee41b902410cdd0f2a65eda6ac3f
  17. 024747078f7e8417795aeb3514850c6fd9116406b775344f60292f9870f7b52e
  18. 02427998e9f58975bba8715101fbe0e030e0131266681bb4efe12f67b578d7bf
  19. 058e997ee4b58002df18900abd92e94ca7e94ab290a4996fad239169abc3ec96
  20. 0246360bb36a23740e767149387e0350ddad3ac3c6bad511c37388a1195594a0
  21. 6d443d71e520302603f01c59326167827c2879069e4d6dbfbd3cf3a2323ce538
  22. 0242867583bd94098932ef05c8b72a8890d82427bb36b0609e8faf8100272803
  23. 087e5e91542212f169210bba15ab6f1fc9b0a8596f43f78a4ec249f6e8c9542f
  24. 39d743ef92586fb0dc8fc41c9d512039a63a139fa6de14a3e3c088ab57f4817a
  25. 9a62a5b3c4e74b749f31b2759920f58cfa53814fe7ce25d84d9b7716f82da4d8

The spam campaign

The spam campaign uses a document to lure unaware users into downloading the malicious file. The target receives an email that claims to be an invoice.

Redsocks document

The email contains a .doc attachment, which also contains a Macro script that will download the Panda Banking Trojan to the computer.

Redsocks macro

From what we were able to see, the spam campaign in The Netherlands used the following domains to operate:

  1. skorianial.com
  2. nalivaidavaika.com
  3. ledpronto.com

The ledpronto.com site hosted the Panda Banking Trojan in the following file:

filename: office.bin
md5: 8582db69683290be0381bd1485013435

  • /app/office.bin

Example IP addresses used to send the spam (mainly Russian IP addresses):

  • 5.139.46.166
  • 5.139.104.185
  • 95.37.27.170
  • 37.23.148.112
  • 31.180.42.174
  • 95.70.99.19
  • 213.177.108.176
  • 31.23.136.166

We also noticed that the Panda Banking Trojan spam campaign is using the following email hostname:

  • @t-online.de

The chance is very high that legitimate but hacked t-online.de emails accounts are used to send the spam. We don’t know how the attackers got in possession of these accounts.

What do you need to do

The chance is very big that you will also be targeted, so there are some tips and tricks that will allow you to stay safe against these type of attacks.

Do not simply execute MACROs

MACRO scripts are pieces of code which can be implemented in office documents like Excel and Word documents – these MACRO scripts are pieces of code which perform tasks in the background once enabled in the Excel or Word environment.

Cybercriminals and hackers are using the MACRO technique to download malicious files in the background – they used this technique because it allows them to stay under the radar of antivirus products.

So if you have to enable MACRO to view / read a file – the there is a chance that something will run on the background. Keep that in mind when you receive a document, which requires MACRO execution.

Already executed

If you have download and executed the malicious file, then make sure to contact your IT-administrator or the IT-security administrator. If it is your private device which has been infected – we strongly recommend you to disconnect your device from the internet and to call a friend that is capable of running an antivirus program (and additional cleanup tools) on your device.

REDSOCKS

The Redsocks MTD is capable of identifying the Panda Banking Trojan, which is used in the massive spam campaign.

References

[1] https://www.proofpoint.com/us/threat-insight/post/panda-banker-new-banking-trojan-hits-the-market

Back to overview