Developers of Zeus Panda virus present new distribution strategy

Zeus Panda virus used SEO to attack users

Security researchers warn about new and clever Zeus Panda virus distribution campaign. Developers of the malicious program used Search Engine Optimization (SEO) for poisoning specific financial and banking-related keywords. In order to succeed, crooks compromised business websites first to rank high in Google search results.

Zeus virus is known since 2017. However, for almost a decade new variants of the malicious program are emerging and trying to steal personal information about users. The Zeus Panda, or Panda Banker, virus has been detected in 2016. However, researchers from Cisco’s Talos reported about new distribution campaign at the beginning of November.

According to the report, criminals used a combination of SEO, compromised legit websites and malicious Word macro commands to install data-stealing malware on victim’s computer. Security researchers tell that malware targeted users of  these banks:

  • Nordea Sweden,
  • the State Bank of India,
  • India’s Bank of Barodia and Axis Bank,
  • the Commonwealth Bank of Australia,
  • Saudi Arabia’s Al Rajhi Bank.

Previously, Panda trojan targeted Australian and British banks. However, the interesting fact is, that malware uses geo-filtering. Once it gets inside the device, it checks computer’s language settings. The virus does not launch its activities if the default language is Russian, Ukrainian, Belarusian or Kazakh.

Criminals sophisticated and well-prepared attack

First of all, the attackers compromised legit business websites in order to rank higher in Google search. Then attackers poisoned specific keywords that were supposed to redirect to corrupted sites. According to the research, criminals managed to show their malicious results several times in Google results page when users entered these keywords:

  • “nordea sweden bank account number”
  • “how many digits in karur vysya bank account number”
  • “free online books for bank clerk exam”
  • “al rajhi bank working hours during ramadan”
  • “how to cancel a cheque commonwealth bank”
  • “free online books for bank clerk exam”
  • “salary slip format in excel with formula free download”
  • “bank of baroda account balance check”
  • “axis bank mobile banking download link”
  • “bank guarantee format mt760”
  • “sbi bank recurring deposit form”

The compromised websites included a malicious JavaScript code to initiate redirects until a macro-enabled document is installed on the system. Once opened, the document asks to enable macros to view the content. Indeed, clicking “Enable Content” button leads to the installation of Zeus Panda virus.

Developers of Panda Trojan used traditional malware distribution methods before

Since the appearance of Zeus Panda malware, authors tried several distribution methods until they came up with the idea to rely on SEO. They spread the trojan via malicious spam emails and three exploit kits – Angler, Nuclear and, Neutrino.

However, the malspam campaigns also included Word document that downloaded malware executable on the system. Other campaigns exploited CVE-2014-1761 and CVE-2012-0158 vulnerabilities to attack media and manufacturing corporations.

Posted in