Cofense Intelligence™ recently observed a sample of Zeus Panda which, upon further research, revealed the malware has been increasingly employing a very creative tactic. This crafty malware variant distracts its victims while quietly draining the victims’ bank accounts, even those accounts that employ additional security mechanisms such as Multi-Factor Authentication. After transferring funds, the malware then masks any evidence that the illicit transactions ever occurred. This tactic ensures that victims with the deepest pockets will remain in the dark as their bank accounts are silently liquidated.
Zeus Panda is the advanced banking trojan known for its extensive targeting of Italian users. Once a victim is infected with Zeus Panda, “webinjects” (which are scripts injected into the website) will be loaded when the victim visits and successfully logs into their online bank accounts, even if the account has enabled 2FA/One Time Passwords. (See Figures 1 and 2.)
Figure 1: Most webinject script elements are essentially links placed at the bottom of a web page and given an ID of “src__001” or “src__000”
Figure 2: In other cases, webinject script elements are placed in the body of the HTML, usually next to key words/sections so that they are loaded when the page is opened
These links download additional information from the remote server, which is used to exfiltrate credentials entered on the webpage as well as to perform other actions.
Figure 3: Instructions downloaded by the “link” webinject script element from the remote server
Figure 4: Personal questions that the malware will display to the user downloaded from the remote server
This process of injection begins with Zeus Panda monitoring web browsers for certain websites saved in its configuration file.
Figure 5:- Website targets and injections stored in the configuration file
This configuration file lists the URLs associated with both personal banking accounts and company banking accounts, which usually have separate login portals even if the accounts are with the same bank, as can be seen in the excerpt in Figure 6.
Figure 6: Excerpt of Zeus Panda target listing for the corporate banking site, followed by the home banking site
When the victim visits one of the websites listed in the file, a simple script (Figures 1 and 2) is inserted into the code of the HTML page that the browser then displays to the victim. When the script elements embedded in the HTML are rendered, a script is loaded from a remote server. This script is then used in a similar way to the initial script.
The second script (refer back to Figures 3 and 4) typically contains the functions used to display additional information to the victim, and records and exfiltrates any information entered. The script also looks for commands from the threat actor who can specify certain actions, such as bank account transfers, additional security questions, and management of
the victim’s bank account. These webinjects ultimately prevent victims from discovering the theft until well after the accounts are drained and transactions are sufficiently hidden.
Just Log In, Zeus Panda Can Take It From Here
After logging in, an image intended to distract the victims displayed on the screen, such as a loading image, error message, or password reset – essentially stalling for time as Zeus Panda contacts its command and control (C2) for additional instructions. In some cases, a “service unavailable” message is displayed with a phone number provided for “customer support,” a real phone number known to be used for scams, as displayed in Figure 7.
Figure 7: Popup distraction used to encourage users to call a known malicious phone number
As the victim is distracted, Zeus Panda follows its C2 directive and if it receives none, it proceeds to transfer all funds out of the victim’s account and hide evidence of the transactions. Afterwards, if the victim logs into his or her account from an infected computer, the loss of funds will not be displayed. The web inject code behind this process can be seen in Figure 8 below.
Figure 8: Webinject code used for transaction removal to hide from the user
Zeus Panda is Ready for Accounts with 2FA Protection
If an account does have 2FA protections, Zeus Panda still allows victims to successfully log into their accounts. But a distraction, a fabricated image – a false screen so to speak – is displayed that makes it appear as if the user did not successfully log into his or her online banking account. This “false screen” will present a variety of distracting messages, including “security questions” the user must answer while Zeus Panda transfers money out of the banking account.
When Zeus Panda identifies that 2FA was used on certain online banking websites, it is scripted to automatically drain those accounts, as opposed to awaiting further C2 instructions, as it would for accounts without 2FA. This is almost certainly due to the additional security of the one-time access provided by 2FA, which prevents the threat actors from gaining future access to these accounts. In contrast, once the credentials of accounts without 2FA are compromised, the threat actors have a higher chance of future access. It may behoove the threat actors not to immediately drain those accounts in order to avoid increased exposure within a short time.
Once accounts with 2FA are accessed by compromised victims, they will also be provided with one of several time-consuming distractions while Zeus Panda is performing its actions. These distractions include: a lengthy PIN number reset process (Figure 9), a claim that the website is under maintenance, 17 different verification questions (Figure 10), or messages that the 2FA codes were not valid. Cofense Intelligence assesses that these accounts are likely seen as belonging to higher-value private or corporate targets, for which more sensitive information is deemed valuable for future targeting. Zeus Panda operators possibly assume higher value account holders will be less suspicious of additional verification questions or supposed security methods.
Figure 9: PIN number reset prompt used as a distraction
Figure 10: Additional questions displayed to victims
Some webinjects, like those targeted in Figure 5, are written to accommodate either corporate or private banking accounts. However, other webinjects, such as those in Figure 11, are specially crafted to target corporate bank accounts that offer 2FA, including One Time Passwords delivered via SMS, authenticator applications, or “chiavetta elettronica personalizzata.” This last category consists of personalized electronic keys distributed by some of the Italian banks referenced in Figures 12 and 13.
Figure 11: Corporate banking websites specifically targeted
Figure 12: 2-Factor Authentication options and instructions on how to use the BancoPosta card reader
Figure 13: Malware provided instructions on how to use a type of chiavetta elettronica personalizzata
Implications of This Malware
This version of Zeus Panda does not include any drastic changes to its core binary. However, the webinjects and targets are evolving constantly in response to both the threat actors’ needs and any changes that a bank makes to its webpage. For example, the current webinject used for Intesa Sanpaolo, a large Italian bank, includes the ability to access accounts with 2FA in a real-time attack, which was not featured in the previous version.
Today, the ability of Zeus Panda to access accounts protected by 2FA and modify its resources is most concerning to the customers of Italian banks. Zeus Panda itself may rarely target banks outside of Italy, but if the source code were to be made available or the TTPs used by its threat actors were to be widely adopted, this would be problematic to online bank accounts everywhere. 2FA provides some protection but as can be seen here, threat actors can still find a way to access those accounts. This emphasizes the need for everybody, especially high-value targets such as employees that can access online corporate bank accounts, to take extreme caution to prevent compromise. It is crucial that these individuals be trained to recognize and report suspicious emails to help prevent attacks such as those outlined in this report.
For a look back and a look ahead at the evolving malware landscape, view the 2018 Cofense™ Malware Review.
All third-party trademarks referenced by Cofense whether in logo form, name form or product form, or otherwise, remain the property of their respective holders, and use of these trademarks in no way indicates any relationship between Cofense and the holders of the trademarks.