PandaBanker (Malware Family)

PandaBanker

aka: ZeusPanda

URLhaus

According to Arbor, Forcepoint and Proofpoint, Panda is a variant of the well-known Zeus banking trojan(*). Fox IT discovered it in February 2016.

This banking trojan uses the infamous ATS (Automatic Transfer System/Scripts) to automate online bank portal actions.

The baseconfig (c2, crypto material, botnet name, version) is embedded in the malware itself. It then obtains a dynamic config from the c2, with further information about how to grab the webinjects and additional modules, such as vnc, backsocks and grabber.

Panda does have some DGA implemented, but according to Arbor, a bug prevents it from using it.

References

https://github.com/JR0driguezB/malware_configs/tree/master/PandaBanker

https://cyber.wtf/2017/02/03/zeus-panda-webinjects-a-case-study/

https://www.proofpoint.com/us/threat-insight/post/zeus-panda-banking-trojan-targets-online-holiday-shoppers

https://www.proofpoint.com/tw/threat-insight/post/panda-banker-new-banking-trojan-hits-the-market

https://f5.com/labs/articles/threat-intelligence/malware/panda-malware-broadens-targets-to-cryptocurrency-exchanges-and-social-media

https://www.arbornetworks.com/blog/asert/panda-bankers-future-dga/

https://www.spamhaus.org/news/article/771/

https://www.vkremez.com/2018/08/lets-learn-dissecting-panda-banker.html

http://blog.talosintelligence.com/2017/11/zeus-panda-campaign.html

https://blogs.forcepoint.com/security-labs/zeus-panda-delivered-sundown-targets-uk-banks

https://www.arbornetworks.com/blog/asert/panda-banker-zeros-in-on-japanese-targets/

https://cyberwtf.files.wordpress.com/2017/07/panda-whitepaper.pdf

https://www.arbornetworks.com/blog/asert/let-pandas-zeus-zeus-zeus-zeus/

http://www.vkremez.com/2018/01/lets-learn-dissect-panda-banking.html

https://cyber.wtf/2017/03/13/zeus-panda-webinjects-dont-trust-your-eyes/

rule win_pandabanker_auto {

    meta:
        author = "Felix Bilstein - yara-signator at cocacoding dot com"
        date = "2018-11-23"
        version = "1"
        description = "autogenerated rule brought to you by yara-signator"
        tool = "yara-signator 0.1a"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.pandabanker"
        malpedia_version = "20180607"
        malpedia_license = "CC BY-NC-SA 4.0"
        malpedia_sharing = "TLP:WHITE"

    /* DISCLAIMER
     * The strings used in this rule have been automatically selected from the
     * disassembly of memory dumps and unpacked files, using yara-signator.
     * The code and documentation / approach will be published in the near future here:
     * https://github.com/fxb-cocacoding/yara-signator
     * As Malpedia is used as data source, please note that for a given
     * number of families, only single samples are documented.
     * This likely impacts the degree of generalization these rules will offer.
     * Take the described generation method also into consideration when you
     * apply the rules in your use cases and assign them confidence levels.
     */

    strings:
        $sequence_0 = { 7406 3919 7402 b301 }
            // n = 4, score = 44000
            //   7406                 | je                  0x410216
            //   3919                 | cmp                 dword ptr [ecx], ebx
            //   7402                 | je                  0x410216
            //   b301                 | mov                 bl, 1

        $sequence_1 = { 85d2 750c 8b0e e870000000 }
            // n = 4, score = 44000
            //   85d2                 | test                edx, edx
            //   750c                 | jne                 0x402033
            //   8b0e                 | mov                 ecx, dword ptr [esi]
            //   e870000000           | call                0x40209e

        $sequence_2 = { 5b f3a4 3918 763b }
            // n = 4, score = 44000
            //   5b                   | pop                 ebx
            //   f3a4                 | rep movsb           byte ptr es:[edi], byte ptr [esi]
            //   3918                 | cmp                 dword ptr [eax], ebx
            //   763b                 | jbe                 0x4041e7

        $sequence_3 = { 89542418 59 f3a4 8d4810 }
            // n = 4, score = 44000
            //   89542418             | mov                 dword ptr [esp + 0x18], edx
            //   59                   | pop                 ecx
            //   f3a4                 | rep movsb           byte ptr es:[edi], byte ptr [esi]
            //   8d4810               | lea                 ecx, dword ptr [eax + 0x10]

        $sequence_4 = { 33d2 8b4d00 8a441414 03ca }
            // n = 4, score = 44000
            //   33d2                 | xor                 edx, edx
            //   8b4d00               | mov                 ecx, dword ptr [ebp]
            //   8a441414             | mov                 al, byte ptr [esp + edx + 0x14]
            //   03ca                 | add                 ecx, edx

        $sequence_5 = { 83c41c c20800 56 8b7108 }
            // n = 4, score = 44000
            //   83c41c               | add                 esp, 0x1c
            //   c20800               | ret                 8
            //   56                   | push                esi
            //   8b7108               | mov                 esi, dword ptr [ecx + 8]

        $sequence_6 = { 85db 7404 c6000a 40 }
            // n = 4, score = 44000
            //   85db                 | test                ebx, ebx
            //   7404                 | je                  0x408f0a
            //   c6000a               | mov                 byte ptr [eax], 0xa
            //   40                   | inc                 eax

        $sequence_7 = { 7411 45 83c304 3b6f18 }
            // n = 4, score = 44000
            //   7411                 | je                  0x4098a6
            //   45                   | inc                 ebp
            //   83c304               | add                 ebx, 4
            //   3b6f18               | cmp                 ebp, dword ptr [edi + 0x18]

        $sequence_8 = { 33c0 85db 0f95c0 40 }
            // n = 4, score = 44000
            //   33c0                 | xor                 eax, eax
            //   85db                 | test                ebx, ebx
            //   0f95c0               | setne               al
            //   40                   | inc                 eax

        $sequence_9 = { ffb42484040000 8bd6 8d8c2464020000 ffb42484040000 }
            // n = 4, score = 44000
            //   ffb42484040000       | push                dword ptr [esp + 0x484]
            //   8bd6                 | mov                 edx, esi
            //   8d8c2464020000       | lea                 ecx, dword ptr [esp + 0x264]
            //   ffb42484040000       | push                dword ptr [esp + 0x484]

    condition:
        7 of them
}

PandaBanker Propose Change

References

PandaBanker