In 2017, PhishMe® analyzed over 40 Italian-language phishing campaigns that targeted victims with Zeus Panda. This popular multipurpose banking trojan is primarily designed to steal banking and other credentials, but is capable of much more as it provides attackers with a great deal of flexibility. Although some variation was observed, many of these campaigns demonstrated a large degree of shared tactics, techniques and procedures (TTPs). Given the prolific nature of these campaigns, it is likely that Italian-language phish will continue to deliver Zeus Panda in 2018. Organizations should be alert to the indicators of compromise and phishing TTPs to prevent infection.
Most Common Attributes
Phishing campaigns delivering Zeus Panda almost always related to transactional issues requiring immediate attention, such as overdue utility bills or invoices. Other examples related to an order shipment. The malware was predominately delivered via attached or linked Microsoft Office documents, most commonly .doc or .xls files, as seen in Figure 1. The files all carried embedded malicious macros designed to deploy Zeus Panda. The OfficeMacro documents deployed the malware either via download or extraction from within the Office document itself.
Figure 1 — Italian-language phishing email informing targets of an attached invoice; Threat ID 10089
Once Zeus Panda is successfully deployed on an endpoint, the malware application performs extensive checks to determine if it is running in a virtualized or sandbox environment before contacting command andcontrol hosts. Once it determines that it is not in an analysis environment, Zeus Panda contacts its command and control resources to receive updated instructions and configuration data to log new infections. These resources also provide configuration data to guide the malware in stealing credentials for financial and other accounts. The credentials are primarily stolen via web injects that are customized for customers of each financial institution listed in the configuration document.
PhishMe’s 21 August blog post explored the reach of Zeus Panda’s modular functions, demonstrating the broad array of capabilities embodied by the malware. The malware’s modules provide insight into its capabilities, many of which serve to steal a user’s data or passwords for reuse. Additional modules commonly found in Zeus Panda samples deployed via Italian-language phishing emails include keylogger and SOCKS proxy capabilities, which provide enhanced insight into victim activity and credential information. As seen in figure 2, the Zeus command and control infrastructure is extensive. These modules also provide the ability to abuse the infected machine as a network proxy or traffic relay. Furthermore, a series of identified VNC modules would give the malware operators the capacity to execute full remote control of infected hosts.
Figure 2 — Zeus Panda’s Command and Control locations used in Threat ID 10351
What Changed During 2017?
Throughout 2017, PhishMe observed some distinctions in Zeus Panda campaigns delivered via Italian phishing emails. This difference may have been due to strategic shifts in threat actors’ use of delivery techniques in an attempt to outwit network defenses. The differences included the appearance of phishing emails (an example can be seen in figure 3), delivery mechanisms and abused Office documents, and other slight technical modifications.
Figure 3 — A more sophisticated phishing email used to distribute the Zeus Panda malware, Threat ID 10183
While the majority of emails included a MS Office Document (or .zip file that included MS Office documents) containing malicious macros that retrieved and downloaded Zeus Panda, some campaigns included other malware varieties. Two campaigns – one in February and the other in April – relied on a JSDropper to install Zeus Panda.1 Two campaigns during the summer featured an additional payload, Pushdo, which makes contact with several hosts via HTTP POST in an attempt to obfuscate its command and control communication by hiding it amongst the noise. While many hosts are not related to the malware’s operation and will not respond with instructions, some will provide the Pushdo malware with instructions for further requests.2 Most recently, threat actors inserted Smoke Load as the secondary payload that establishes communications with command and control to obtain instructions and download executables of Zeus Panda.3
Introducing yet another clever technique, five samples of Zeus Panda identified in August used a .bit domain as a command and control host. The .bit top level domain infrastructure was created as an alternate DNS system leveraging the Namecoin blockchain to act as an alternative decentralized domain name system, providing a method for threat actors to anonymize their DNS and prevent the removal of their DNS infrastructure.4
Stai All’erta nel 2018!
Stay Alert in 2018! PhishMe assesses with high confidence that Zeus Panda campaigns targeting Italian banking customers will continue throughout 2018 given the consistent targeting throughout and into the end of 2017.
The threat actors delivering Zeus Panda have not always demonstrated the most sophistication. At times the analyzed samples did not successfully communicate with command and control hosts, or files were left in obvious locations. However, the malware’s broad range of capabilities and targeting of sensitive financial information warrants caution and proactive network defense by Italian financial institutions and their customers. The most important defense measure is to educate your users. They are one of the most valuable security assets, and can help to identify and report suspicious emails.
Don’t miss another cyber threat – sign up for PhishMe® Threat Alerts today and receive updates on fresh and emerging phishing and malware threats, completely free.
1 For more details, see Threat ID 8274 and Threat ID 8317.
2 For more details, see Threat ID 9297 and Threat ID 9478.
3 For more details, see Threat ID 10040 and Threat ID 10426
4 For more details, see Threat ID 9630, Threat ID 9649, Threat ID 9702, Threat ID 9718, and Threat ID 9773.