{"id":410,"date":"2017-11-16T15:12:57","date_gmt":"2017-11-16T15:12:57","guid":{"rendered":"http:\/\/esolutions.lt\/blog\/?p=410"},"modified":"2018-07-02T12:00:02","modified_gmt":"2018-07-02T12:00:02","slug":"developers-of-zeus-panda-virus-present-new-distribution-strategy","status":"publish","type":"post","link":"https:\/\/esolutions.lt\/blog\/developers-of-zeus-panda-virus-present-new-distribution-strategy\/","title":{"rendered":"Developers of Zeus Panda virus present new distribution strategy"},"content":{"rendered":"<h2 class=\"p1\"><span class=\"s1\">Zeus Panda virus used SEO to attack users<\/span><\/h2>\n<p class=\"p1\"><span class=\"s1\">Security researchers warn about new and clever <a href=\"https:\/\/www.2-spyware.com\/remove-zeus-panda-virus.html\" target=\"_blank\" rel=\"noopener\">Zeus Panda virus<\/a> distribution campaign. Developers of the malicious program used Search Engine Optimization (SEO) for poisoning specific financial and banking-related keywords. In order to succeed, crooks compromised business websites first to rank high in Google search results.<\/span><\/p>\n<p class=\"p1\"><span class=\"s1\"><a href=\"https:\/\/www.2-spyware.com\/remove-zeus-trojan.html\" target=\"_blank\" rel=\"noopener\">Zeus virus<\/a>\u00a0is known since 2017. However, for almost a decade new variants of the malicious program are emerging and trying to steal personal information about users. The Zeus Panda, or Panda Banker, virus has been detected in 2016. However, researchers from Cisco\u2019s Talos reported about new distribution campaign at the beginning of November.<\/span><\/p>\n<p class=\"p1\"><span class=\"s1\">According to the report, criminals used a combination of SEO, compromised legit websites and malicious Word macro commands to install data-stealing malware on victim\u2019s computer. Security researchers tell that malware targeted users of<span class=\"Apple-converted-space\">\u00a0 <\/span>these banks:<\/span><\/p>\n<ul>\n<li class=\"p1\"><span class=\"s1\">Nordea Sweden,<\/span><\/li>\n<li class=\"p1\"><span class=\"s1\">the State Bank of India,<\/span><\/li>\n<li class=\"p1\"><span class=\"s1\">India&#8217;s Bank of Barodia and Axis Bank, <\/span><\/li>\n<li class=\"p1\"><span class=\"s1\">the Commonwealth Bank of Australia, <\/span><\/li>\n<li class=\"p1\"><span class=\"s1\">Saudi Arabia&#8217;s Al Rajhi Bank. <\/span><\/li>\n<\/ul>\n<p class=\"p1\"><span class=\"s1\">Previously, Panda trojan targeted Australian and British banks. However, the interesting fact is, that malware uses geo-filtering. Once it gets inside the device, it checks computer\u2019s language settings. The virus does not launch its activities if the default language is Russian, Ukrainian, Belarusian or Kazakh.<\/span><\/p>\n<h2 class=\"p1\"><span class=\"s1\">Criminals sophisticated and well-prepared attack<\/span><\/h2>\n<p class=\"p1\"><span class=\"s1\">First of all, the attackers compromised legit business websites in order to rank higher in Google search. Then attackers poisoned specific keywords that were supposed to redirect to corrupted sites. According to the research, criminals managed to show their malicious results several times in Google results page when users entered these keywords:<\/span><\/p>\n<ul>\n<li class=\"p1\"><span class=\"s1\">&#8220;nordea sweden bank account number&#8221;<\/span><\/li>\n<li class=\"p1\"><span class=\"s1\">&#8220;how many digits in karur vysya bank account number&#8221;<\/span><\/li>\n<li class=\"p1\"><span class=\"s1\">&#8220;free online books for bank clerk exam\u201d<\/span><\/li>\n<li class=\"p1\"><span class=\"s1\">&#8220;al rajhi bank working hours during ramadan&#8221;<\/span><\/li>\n<li class=\"p1\"><span class=\"s1\">&#8220;how to cancel a cheque commonwealth bank\u201d<\/span><\/li>\n<li class=\"p1\"><span class=\"s1\">&#8220;free online books for bank clerk exam&#8221;<\/span><\/li>\n<li class=\"p1\"><span class=\"s1\">&#8220;salary slip format in excel with formula free download&#8221;<\/span><\/li>\n<li class=\"p1\"><span class=\"s1\">&#8220;bank of baroda account balance check\u201d<\/span><\/li>\n<li class=\"p1\"><span class=\"s1\">&#8220;axis bank mobile banking download link&#8221;<\/span><\/li>\n<li class=\"p1\"><span class=\"s1\">&#8220;bank guarantee format mt760&#8221;<\/span><\/li>\n<li class=\"p1\"><span class=\"s1\">&#8220;sbi bank recurring deposit form&#8221;<\/span><\/li>\n<\/ul>\n<p class=\"p1\"><span class=\"s1\">The compromised websites included a malicious JavaScript code to initiate redirects until a macro-enabled document is installed on the system. Once opened, the document asks to enable macros to view the content. Indeed, clicking \u201cEnable Content\u201d button leads to the installation of Zeus Panda virus.<\/span><\/p>\n<h2 class=\"p1\"><span class=\"s1\">Developers of Panda Trojan used traditional malware distribution methods before<\/span><\/h2>\n<p class=\"p1\"><span class=\"s1\">Since the appearance of Zeus Panda malware, authors tried several distribution methods until they came up with the idea to rely on SEO. They spread the trojan via malicious spam emails and three exploit kits &#8211; Angler, Nuclear and, Neutrino. <\/span><\/p>\n<p class=\"p1\"><span class=\"s1\">However, the malspam campaigns also included Word document that downloaded malware executable on the system. Other campaigns exploited CVE-2014-1761 and CVE-2012-0158 vulnerabilities to attack media and manufacturing corporations. <\/span><\/p>\n","protected":false},"excerpt":{"rendered":"<p>Zeus Panda virus used SEO to attack users Security researchers [&hellip;]<\/p>\n","protected":false},"author":5,"featured_media":411,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":[],"categories":[2],"tags":[],"_links":{"self":[{"href":"https:\/\/esolutions.lt\/blog\/wp-json\/wp\/v2\/posts\/410"}],"collection":[{"href":"https:\/\/esolutions.lt\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/esolutions.lt\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/esolutions.lt\/blog\/wp-json\/wp\/v2\/users\/5"}],"replies":[{"embeddable":true,"href":"https:\/\/esolutions.lt\/blog\/wp-json\/wp\/v2\/comments?post=410"}],"version-history":[{"count":2,"href":"https:\/\/esolutions.lt\/blog\/wp-json\/wp\/v2\/posts\/410\/revisions"}],"predecessor-version":[{"id":415,"href":"https:\/\/esolutions.lt\/blog\/wp-json\/wp\/v2\/posts\/410\/revisions\/415"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/esolutions.lt\/blog\/wp-json\/wp\/v2\/media\/411"}],"wp:attachment":[{"href":"https:\/\/esolutions.lt\/blog\/wp-json\/wp\/v2\/media?parent=410"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/esolutions.lt\/blog\/wp-json\/wp\/v2\/categories?post=410"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/esolutions.lt\/blog\/wp-json\/wp\/v2\/tags?post=410"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}