win.pandabanker (Back to overview)

PandaBanker

aka: ZeusPanda
URLhaus            

According to Arbor, Forcepoint and Proofpoint, Panda is a variant of the well-known Zeus banking trojan(*). Fox IT discovered it in February 2016.

This banking trojan uses the infamous ATS (Automatic Transfer System/Scripts) to automate online bank portal actions.

The baseconfig (c2, crypto material, botnet name, version) is embedded in the malware itself. It then obtains a dynamic config from the c2, with further information about how to grab the webinjects and additional modules, such as vnc, backsocks and grabber.

Panda does have some DGA implemented, but according to Arbor, a bug prevents it from using it.

References
https://github.com/JR0driguezB/malware_configs/tree/master/PandaBanker
https://cyber.wtf/2017/02/03/zeus-panda-webinjects-a-case-study/
https://www.proofpoint.com/us/threat-insight/post/zeus-panda-banking-trojan-targets-online-holiday-shoppers
https://www.proofpoint.com/tw/threat-insight/post/panda-banker-new-banking-trojan-hits-the-market
https://f5.com/labs/articles/threat-intelligence/malware/panda-malware-broadens-targets-to-cryptocurrency-exchanges-and-social-media
https://www.arbornetworks.com/blog/asert/panda-bankers-future-dga/
https://www.spamhaus.org/news/article/771/
https://www.vkremez.com/2018/08/lets-learn-dissecting-panda-banker.html
http://blog.talosintelligence.com/2017/11/zeus-panda-campaign.html
https://blogs.forcepoint.com/security-labs/zeus-panda-delivered-sundown-targets-uk-banks
https://www.arbornetworks.com/blog/asert/panda-banker-zeros-in-on-japanese-targets/
https://cyberwtf.files.wordpress.com/2017/07/panda-whitepaper.pdf
https://www.arbornetworks.com/blog/asert/let-pandas-zeus-zeus-zeus-zeus/
http://www.vkremez.com/2018/01/lets-learn-dissect-panda-banking.html
https://cyber.wtf/2017/03/13/zeus-panda-webinjects-dont-trust-your-eyes/