Panda banking trojan is a variant of the Zeus banking malware that recently started being distributed through the Emotet trojan. Panda was previously used in targeted phishing campaigns conducted via email along with exploit kits. Typically, the trojan will be deploy its payload through macros. Once Panda compromises a victim’s machine, it will connect to its C&C server to send information such as computer name, latency, local time, OS version, and information regarding any antivirus software that has been installed along with which firewalls are in operation. The information is used to see if the trojan is operating in a sandbox environment. Following this, Panda will make a copy of itself which will create two “svchost.exe” processes. It will also scan the system looking for any known browsers in use. If browsers are found, Panda will inject a plugin to intercept the victim’s traffic. The malware will wait until the victim visits a target website such as a banking site. Once the victim visits one of the targeted websites, a malicious script will be deployed to hijack the victim’s banking credentials and any other personal information. When this information is collected, it is then sent to the C&C server.
Written by: Nataliia Zdrok, Threat Intelligence Analyst at Binary Defense Russia’s invasion of Ukraine increased