Banking

Fortinet researcher Kai Lu warns of a fake email app that is capable of stealing login credentials from 15 different mobile banking apps for German banks.

android banking malware masquerading

“Once this malicious app is installed and device administrator rights are granted, when the user first launches a targeted banking app the malicious app sends a request via HTTPS to its C2 server to get the payload. The C2 server then responds with a fake customized login webpage, and the malicious app displays this fake customized login screen overlay on top of the legitimate banking app to collect entered banking credentials,” he explains.

“There is a different customized login screen for each bank targeted by this malware.”

The malware hides the icon from the launcher once the malware is up and running, and victims might be tricked into believing that they have somehow failed to install the app.

But, in the background, the malware tries to prevent some 30 different anti-virus mobile apps from launching, collects information about the device (as well as the “installed app” list) and sends it to the C&C server, and waits for further instructions.

It can be made to intercept incoming SMS messages, send out mass text messages, update the targeted app list, set a new password for the device, and more.

At the moment, it does not pop overlays to steal credit card info (e.g. when the Google Play or PayPal app is started), but that can soon change.

The researcher says that to remove the app, victims must first disable the malware’s device administrator rights in Settings > Security > Device administrators > Device Admin > Deactivate, then uninstall the malware via ADB (Android Debug Bridge) by using the command ‘adb uninstall [packagename]’. Tech-unsavvy users might want to ask for help with that last step from friends and family who know how to do that.

Lu also recently analyzed another piece of malware that masquerades as an unnamed German mobile banking app. This one also targets five banks in Austria, as well as Google Play (asks users to input credit card info when they start the app).

This particular malware also comes in the form of a fake Flash Player app, and is after credit card info of users of several popular social media apps (Instagram, Skype, WhatsApp, Facebook, etc.).


Help Net Security

Blockchain and Cryptography: The New Gold Standard

Over the past 200 years, the role of gold in international trade has been undeniable as a means to standardize prices across currencies and secure payments across borders. Before 1875, global financial systems based prices on the amount of gold held in coins, which could then be exchanged between people who had no common language, who didn’t necessarily trust each other and whose currency was of no use to the other.

By 1880, many of the leading industrial countries used the gold standard, converting currencies into meaningful equivalents by virtue of their weight in gold. This enabled unprecedented trade volume and international commerce growth.

The comparison between the science of cryptography and the commodity gold may sound dubious at first, but cryptography plays the historical role of gold today by enabling international trade, products and services. Put simply, our interconnected economies now rely on a technological common denominator that can be trusted to secure and enable trade beyond physical borders now that our assets, money and transactions are digital.

Cryptography: A Common Foundation

Cryptography secures the global information infrastructure by encrypting data flows and protecting data from third-party interception. Nowadays, cryptography secures data in transit and at rest, protects personal information and communications, and ensures the integrity of every online purchase. Cryptography has four key attributes:

  1. Confidentiality: The protection of information and prevention of unauthorized access;
  2. Privacy: Protecting the personal information of individuals;
  3. Non-repudiation: The inability to deny an action took place; and
  4. Integrity: Assurance that information cannot be manipulated.

Though its origins date back centuries, modern cryptography came into effect in the 1970s using public keys, asymmetric keys and digital signatures — techniques still in use today.

Financial services introduced public key infrastructures (PKI) in the 1990s, and the National Institute of Standards and Technology (NIST) standardized the cryptographic hash algorithm SHA-1, the operating standard used globally for the past 20 years.

The Future of Banking

Many banks are now pivoting their business models toward technology solutions as they seek to provide digital services for their clients and reduce costs due to regulatory compliance obligations. Similarly, banks are investing heavily in new ways to deliver products and services to clients to compete with technology companies’ alternative payment methods.

This refocus has spurred the term fintech, or financial technology, to describe the growing market segment. A reliance on technology creates a greater need for cryptography to secure and move digital assets. Many banks are now creating their own cryptographic service units to respond to the growing demand.

Blockchain Changes the Banking Game

A perfect example of these competitive forces is the current focus on blockchain. Blockchain has become synonymous with alternative business models. It has driven businesses to reimagine how their networks operate when using a shared distributed ledger of information to reduce costs and complexity and increase efficiency and transparency. These permissioned blockchain concepts — where participants in the network are known and vetted — are considered some of the most innovative technologies currently in development.

At its core, however, blockchain leverages a vast amount of public key cryptography to enable confidentiality, privacy and security of data and user identities. Banks envision organizing vast securities trading platforms, supply chains and back office functions into blockchain systems, essentially changing the rules of how information flows are managed.

A Murky Future

Changes in cryptography will likely redefine banking infrastructures globally in the next decade. According to the NIST, SHA-1 is being phased out. Banks are now preparing to migrate to the new SHA-2 standard, a costly and complicated process for many institutions. This migration, however, is only one step in the evolving cryptography landscape for banks.

Whether you like it or not, quantum computing (QC) is coming. All enterprises, including banks, will need to rebuild their current cryptographic systems to defend against the power of QC. Essentially, QC can decode all current cryptography regimes, requiring quantum-resistant cryptography to keep data safe. This evolving field will be at the forefront of massive infrastructure changes in the coming years.

Learn More

Visit IBM at booth No. 1033 during Money 20/20, happening from Oct. 23 to 26 in Las Vegas, to hear more about blockchain in the financial industry.


Security Intelligence

The financial industry’s increasing dependence on advanced technologies has two major implications. First, the financial companies that adopt these technologies are able to leverage new and improved services, solve legacy issues and introduce competitive differentiation as a result. Second, the increased complexity of these systems creates more potential weak spots for cybercriminals to exploit. It also drives up the cost required to adequately research, develop and deliver these advanced technologies and services to customers.

Managing these intricacies and associated risks is the key to improving the state of security in banking. A security leader’s main priority is to keep attackers from gaining entry to the organization’s IT ecosystem and wreaking havoc. With any breach, the potential for loss of data, trust and revenue is high, and it can dent overall reputation as well.

The regulatory bodies charged with keeping the industry secure are essential to prevent potentially unsafe expansion or activity. However, regulators are often unable to move fast enough when it comes to data protection.

Compliance Does Not Equal Security

While regulatory compliance is important, a compliant system is not necessarily a secure system. Those in charge of securing financial organizations should work with industry peers and IT partners to identify threats and establish holistic, risk-based approaches to dealing with them.

It’s also important to recognize the tension between the technical and business sides of the organization. Consider which tools must be implemented to address risk and comply with regulations in the context of the IT budget. All sides must be sensitive to each other’s concerns.

Keep Your Ear to the Ground

Computers and security systems have been developed to recognize, detect and prevent viruses, malware and other harmful pieces of software. While these systems are incredibly accurate, they are no longer enough. Security teams need more advanced systems that can learn to recognize patterns in data and identify subtle changes in attack code designed to evade traditional monitoring systems.

Banking organizations should ensure they have advanced analytical and interpretive powers overseeing all relevant data security events. These efforts will help detect and prioritize the threats that pose the greatest risk to the industry and specific organization, allowing security personnel to take effective action and identify the items that need immediate attention. This can be achieved either through in-house security technology deployment or by contracting a third party to manage the security monitoring for the business.

Get Your Head in the Cloud

Many leaders in the traditionally risk-averse finance industry are wary of the risks associated with cloud adoption. However, there is no reason why cloud should be any less secure than an on-premises data hub. It all depends on the organization’s security policies and regulatory requirements, and how these can be mapped to the cloud environment.

Cloud adoption can drive agility and reduce costs for banking institutions. It can also help improve protocols for security in banking. As threats in this area continue to escalate, a single bank can only see what happens inside its own network. But it can strengthen its defensive posture by collaborating with other banks, regulators and government agencies to understand the full threat picture.

Banks can also enable the exchange of relevant threat information and speed up defense capabilities by partnering with dedicated security services. A partner overseeing threats across the globe can, for example, warn a bank in Germany of an attack unfolding in Korea. This allows the German bank to get a jump on defensive preparations before attackers have a chance to strike.

The Future of Security in Banking

The future of security in banking lies in the development and adoption of advanced cognitive security functions. These systems can harness not just data, but also meaning, knowledge, process flows and progression of activity at a lightning-fast speed. Cognitive security can put banks ahead of threat actors in terms of speed, collaboration and access to data structures.

Cognitive technology enables security analysts to collect information rapidly and provides the support they need to thwart attacks before the damage is done. But shifting the balance of power requires a shift in the overall approach to security in banking. Banks must ensure their systems are more than compliant, become comfortable with cloud technologies and implement cognitive computing to keep up with the evolving threat landscape. The industry is not entirely there yet, but it’s facing the right direction.

For more on the state of security in banking, watch this IBM Masterclass video interview I did with The Banker, “Cybersecurity Beyond Compliance.”


Security Intelligence

Banking customers are hesitant to use mobile features due to fraud and security concerns, according to Kaspersky Lab and IDC Financial Insights. Their findings show that of those not using mobile banking at all today (36 percent), 74 percent cited security as the major reason, which could slow the overall adoption of mobile banking services during a time where mobile device usage is exploding.

banking customers

While security concerns are holding back non-mobile banking users from embracing the convenient, digital self-service solutions on the market, those who are active users of mobile banking today also share the same concerns. Of both, users and non-users of mobile banking, 85 percent said that they would increase their usage to “some extent” if there was more security and nearly half (44 percent) of those surveyed said that they would “significantly” increase their mobile banking usage with more security.

For financial organizations, an increase in self-service banking usage can drive revenue and reduce transactional costs, but currently customers don’t see a promising future for mobile banking in their lives – with 32 percent of respondents claiming that they do not ever foresee using mobile as the primary channel that they will engage with their bank or credit union. Banks that do not properly strengthen mobile financial security measures could miss out on a significant business opportunity and risk losing valuable customers in the process.

As financial institutions look for new ways to streamline adoption of self-service banking solutions, it is important that they proactively deploy and implement rigorous security solutions. In addition, banks should also reconsider their education strategies to ensure that customers understand the level of security in their mobile offerings. Survey Respondents want to see a proactive and informative approach to security from their banks with 80 percent indicating that they would like to see evidence of security measures being activated when they launch a mobile banking application.

“Consumers are concerned about security on their mobile devices, which has limited adoption of high margin mobile banking and payment activities including account opening, payments and transfers using a mobile phone.” Says Marc DeCastro, research director IDC Financial Insights. “As the next generation of online, mobile first and mobile only customers begin to explore digital banking choices, financial institutions that have and promote stronger security will attract and retain these customers more easily than those who do not.”

“As financial organizations continue to expand their self-service offerings to drive revenue and increase customer convenience, it’s important to proactively approach security technology for consumers’ mobile devices in the same way banks approach security for their own PC-based solutions, web offerings, and technology networks,” said Ross Hogan, Kaspersky Lab Global Head of Fraud Prevention.


Help Net Security

Threatpost News Wrap, August 19, 2016

August 19, 2016 , 9:00 am

Cisco Acknowledges ASA Zero Day Exposed by ShadowBrokers

August 17, 2016 , 4:06 pm

Pokémon GO Spam, Ransomware, On the Rise

August 17, 2016 , 12:58 pm

ProjectSauron APT On Par With Equation, Flame, Duqu

August 8, 2016 , 1:40 pm

Miller, Valasek Deliver Final Car Hacking Talk

August 4, 2016 , 3:26 pm

Researchers Go Inside a Business Email Compromise Scam

August 4, 2016 , 10:00 am

Export-Grade Crypto Patching Improves

August 3, 2016 , 10:00 am

Kaspersky Lab Launches Bug Bounty Program

August 2, 2016 , 9:00 am

Threatpost News Wrap, July 29, 2016

July 29, 2016 , 10:45 am

KeySniffer Vulnerability Opens Wireless Keyboards to Snooping

July 26, 2016 , 9:30 am

Upcoming Tor Design Battles Hidden Services Snooping

July 25, 2016 , 3:51 pm

EFF Files Lawsuit Challenging DMCA’s Restrictions on Security Researchers

July 21, 2016 , 1:18 pm

Oracle Patches Record 276 Vulnerabilities with July Critical Patch Update

July 20, 2016 , 9:21 am

Threatpost News Wrap, July 15, 2016

July 15, 2016 , 11:00 am

Academics Build Early-Warning Ransomware Detection System

July 14, 2016 , 1:05 pm

xDedic Hacked Server Market Resurfaces on Tor Domain

July 12, 2016 , 11:40 am

Conficker Used in New Wave of Hospital IoT Device Attacks

June 30, 2016 , 11:48 am

655,000 Healthcare Records Being Sold on Dark Web

June 28, 2016 , 10:00 am

Windows Zero Day Selling for $ 90,000

May 31, 2016 , 5:44 pm

Millions of Stolen MySpace, Tumblr Credentials Being Sold Online

May 31, 2016 , 1:37 pm

OTR Protocol Patched Against Remote Code Execution Flaw

March 10, 2016 , 10:23 am

Android KeyStore Encryption Scheme Broken, Researchers Say

July 7, 2016 , 11:52 am

Necurs Botnet is Back, Updated With Smarter Locky Variant

June 23, 2016 , 4:10 pm

WordPress Security Update Patches Two Dozen Flaws

June 23, 2016 , 8:00 am

Planes, Trains and Automobiles Increasingly in Cybercriminal’s Bullseye

June 29, 2016 , 8:19 am

Apple Leaves iOS 10 Beta Kernel Unencrypted: Pros and Cons

June 27, 2016 , 5:13 pm

Voter Database Leak Exposes 154 Million Sensitive Records

June 24, 2016 , 10:14 am

iOS 9.3.4 Patches Critical Code Execution Flaw

August 8, 2016 , 9:00 am

Two Million Passwords Breached in Ubuntu Hack

July 18, 2016 , 1:17 pm


Threatpost | The first stop for security news

Current and former board directors and senior managers for SWIFT banking admitted security was not a priority for the financial messaging system and experts are not surprised to hear it.

A report from Reuters noted while there was only one reference to security in the past 17 annual reports and strategy plans for SWIFT, more than a dozen executives admitted they suspected for years that there were security flaws, especially in how smaller banks used the system.

It was only after hackers attempted to steal $ 1 billion -- succeeding in stealing $ 81 million -- in February and investigations uncovered more incidents of fraud that a plan was created to improve SWIFT security.

Some of the former directors and senior managers took responsibility for the fact that security was not a priority while others justified it by claiming the SWIFT banking organization expected bank regulators to ensure proper security.

No experts were surprised by these admissions by SWIFT banking execs.

"SWIFT seems to have expanded its network to banks in less-developed countries without due consideration for the security weaknesses that would introduce," Avivah Litan, vice president and distinguished analyst at Gartner, told SearchSecurity. "But SWIFT always justifiably considered itself the 'messenger' and probably thought the security of its member banks was not its problem. SWIFT's attitude is 'don't shoot the messenger' -- and that position worked in the past when account takeover and sophisticated hackers weren't so prevalent."

Yong-Gon Chon, CEO for Cyber Risk Management LLC, the Tampa, Fla. risk management firm, said executives claiming to see warning signs is common.

"The reaction of suspecting vulnerabilities existing within client terminals is expected and not surprising. Every time a major incident happens, from 9/11 or to Target circa 2013, experts come out and say they knew there were warning signs," Chon said. "It's a natural human reaction because hindsight is almost always 20-20. The reality is that the current landscape of digital criminal activity means that threats are faceless and invisible. An invisible threat takes away the advantage of human instinct to suspect unusual activity. Consequently, it has never been more convenient for criminals to exploit the weakest links in a complex internetworked chain that is our financial messaging system."

Bob Hansmann, director of security technologies at Forcepoint, the Austin, Texas, security firm, suggested many failures were necessary to enable the fraud committed with the SWIFT banking system.

"Time, money, and people are all limited resources, particularly in IT security. And many vulnerabilities can only be exploited under unique, and highly unlikely, circumstances. So priorities have to be set, and such vulnerabilities may go unaddressed," Hansmann said. "It is important to point out that we should not limit our thinking to technology. People, procedures, and processes can also be exploited or be a key element causing an otherwise unlikely vulnerability a reality."

Andrei Barysevich, director of Eastern European research and analysis at Flashpoint, agreed with this assessment.

"Any system is only as strong as its weakest link, and although the largest financial institutions have sufficient resources to respond adequately to emerging threats, smaller organizations always fall behind," Barysevich said. "SWIFT became a victim of its own success -- too comfortable in its dominance to recognize the new reality; in the meantime, criminals quickly discovered SWIFT's weaknesses."

Experts agreed acknowledging problems is always a good first step towards remediating any issues. Following the fraud attempts, SWIFT announced a five-point Customer Security Program to improve security.

"It includes tighter guidelines for auditors and regulators to check each bank's security, improves information sharing, tightens existing procedures, and promotes the use of fraud spotting solutions. In addition to short term security improvements, these will also provide more visibility and understanding, which should result in additional recommendations later," Hansmann said. "Security requires visibility. The overall SWIFT system is only as secure as the weakest bank connected to it. A burglar doesn't have to break in through all of your windows… just one."

Ruchika Mishra, senior product marketing manager for WhiteHat Security, said the program and the establishment of the SWIFT Customer Security Intelligence Team should help.

"The Customer Security Program that endeavors to define an operational and security baseline for its customers with strategic initiatives to improve information sharing, make security tools more robust, and develop audit standards and certification processes is a step in the right direction," Mishra said. "SWIFT has also established a Customer Security Intelligence Team in partnership with other experts in cybersecurity to gather intelligence related to attempted cyberattacks and share anonymized customer security information with the larger community. These are all steps in the right direction."

Litan noted these changes are good for SWIFT's image, but don't answer more fundamental questions, such as whether SWIFT should "broaden its role and take more responsibility for the security of member banks who access its systems."

"SWIFT needs to figure out what its role is in the future. Is it going to still be a network for transmitting messages securely, even when those messages are fraudulent, or is it going to take responsibility for making sure those messages are not fraudulent and not tampered with?" Litan asked. "My belief is that SWIFT won't take on the latter role unless its large member banks insist on it. And for now the large member banks are more concerned with maintaining the speed of digital business than they are with stopping fraudulent transactions and slowing digital business down."

Litan also suggested the new guidelines introduced by SWIFT won't be useful because they lack the necessary "enforcement teeth to be effective."

"I don't think those steps are enough to stop hacks into member banks' access of the SWIFT network," Litan said. "Not all planned attacks can be discovered by threat intelligence firms, no matter how good those firms are. Some attackers may not leave any digital footprints in places those firms have access to, e.g. various forums on the Dark Web. And certainly security won't necessarily improve amongst member banks with the introduction of SWIFT security guidelines."

"If the SWIFT attacks continue, and my prediction is that they will, eventually SWIFT will have to enforce security measures at its member banks, i.e. on the originator side, since SWIFT has the authority to do that. SWIFT should enforce security measures on the bank recipient side -- by the way, many large banks are both originators and recipients -- to ensure they analyze transactions and look for suspect payments, but they don’t have the power to do that. That's the regulators' jobs and one day the regulators may eventually wake up to the need for them to do just that."

Next Steps

Learn more about biometric security for mobile banking.

Find out why risk management is key to bank cybersecurity.

Get info on why fears over the IT security of new banks might be overblown.


SearchSecurity: Security Wire Daily News

You'd think, with the amount of money the SWIFT inter-bank payment system transfers every day, that the group would be strong on security. Not so, says a former head of the organization.

The SWIFT organization has been trying to up its security game after a string of high-profile hacking attacks that siphoned off millions from the system. But Leonard Schrank, CEO of SWIFT from 1992 to 2007, admitted that the organization has been snoozing on security for too long.

"The board took their eye off the ball," Schrank told Reuters. "They were focusing on other things, and not about the fundamental, sacred role of SWIFT, which is the security and reliability of the system."

Schrank said that he was "partially responsible" for the situation, as he and other board members hadn't considered the security implications of smaller banks joining the network and not taking proper precautions to lock down the payment system.

Large Western banks are the heaviest users of SWIFT, but the number of smaller banks joining the network has grown, and these often don't have the budget to protect the system. Martin Ullman, a SWIFT consultant based in Prague, said that he had been in contact with an admin at the Central Bank of Solomon Islands who couldn't afford the cost of upgrading the SWIFT messaging system.

"The difficulty is always to keep the security system very effective when you deal with little banks and emerging countries," said former SWIFT board member Alessandro Lanteri. "There, it is very difficult to be sure that all the procedures of security are managed in the correct way."

Another former SWIFT board member, Arthur Cousins, claimed that part of the problem is that the organization didn't believe it was responsible for the security of people using its systems – it felt that was a job for banking regulators.

"SWIFT and its Board have prioritized security, continually monitoring the landscape and responding by adapting the specific security focuses as threats have evolved," SWIFT said in a statement.

"Today's security threats are not the same threats the industry faced five or ten years ago – or even a year ago – and like any other responsible organization, we adapt as the threat changes." ®

Sponsored: The Nuts and Bolts of Ransomware in 2016


The Register - Security

%PDF-1.6 %äãÏÒ 1 0 obj [/PDF/ImageB/ImageC/ImageI/Text] endobj 4 0 obj <</Length 5 0 R /Filter/FlateDecode >> stream xœ endstream endobj 5 0 obj 8 endobj 6 0 obj <</Subtype/Image /Width 150 /Height 150 /BitsPerComponent 8 /ColorSpace/DeviceRGB /Filter/FlateDecode /Length 7 0 R >> stream xœígx]ŵ÷!!›póá^¾¼onè á’¼¸@hƒ &6„zÁÀIè6ظɲ-˲%Y]Vï½Z½ËjVï½Ë²lÉr’ûþgÖÞsf—st$ ‰÷³=Gçì}ÊþíµÖÍ̞ùßÿ=¿ßÎoç·óÛùíüv~;¿ßÎosޞjk﬩­/.-ËÍ/ŒOLŽKHŽOŠ‰KŒŽM€EÅÄGFÇEDņGÆÀÂ"¢³sóaûË*êšpøää‘sý;þ…¶écÇúúªkëò ŠSÓ3SÒ2RR÷%§¦'¥¤'&§%$ ¥Æ'¦Ø14<*$ ,’,($ †7))-ëìꞜœ<׿òŸm;yêÔÀà`]}#\,3+7#3g_FvzFVÚ¾,Sˆx”’Ãㄤ”ø4ŽJƒÃ‚BaØ­¨¤´£³ëÌ™3çúׇ·S§N WVUçææä îeåäefç ˆY9YÙyx>'¯ûäååçåãùþ2tÎ:…œ@ASÑ? æ·7(;'ï<Ê9m_~ùåÁƒãÈP…%ŒHAˆˆpâ’â’²Òýå°XiYqÉþ¢âÒ¢Råû ê<~Ë<484BÑ×?–•Û××®OÏ·z;}útOoyE•ŽHAa10••WÂ+*À°þ…YXˆ"‡Â7‘4]÷†È}üÂ#£Tל>ï’Ú ì !tD`eåUªkkjêªkêð ê@Í7 QÄXDW¢·ïހÀ|¹cÇfÎõ™;÷ÛéÓgÚ;:C&@5µu MP/0T ç"R. ½|üaˆêǎ;×gñÜlÐ=½} "pà/56575·66µ€à· "B+4R¤[email protected]Õ\ŠçúŒ~£ÛÈÈh}}#p"õ -­íÜÚš[Zç€âyáŸèéåóðòñðdæã»72:6" ¥DtjzÆÙ@¤b)[email protected]ôôöójmm;×çõ›ØŽÍ̀b$ pÔp …@ kkïhmë°bfVNDd´¯_Àf‡­«×¬]õ—÷ædŸ­]¿~ÃfW7$ 50š+DªAWD/ß„Ääééés}Ž¿® eÂððáA–è›;;»;»z cPsÙ1'7?4,b‡³Ë~2Wd¶íãO>Å•àíãrÞ~ˆpFè$ Gq§OEeÕ¹>Ù¿Í?ÞÖÖÑÐØL8ðà»z»º{f…˜_Päãë¿æÓu6¼òÖÊ'þôâ²Wž¾ý™mö­úÏvûò«¯úú…CØ ã¯mˆyù.»\§§Ôpædkñ•,¹ò‚¯ºàÁ«/xèê–’]sÁÃ’á_z;`7ìŒCp aå@q1€&|Ùø¹[·CÙΈˆJÝ=¼‹JJq ŸkóÜNž< 4¡ÀhxddxdthxÄÄä”´›¶Áýæ©E?yðj„ì!"uí¿¿ö‚e?g¶üç.ÿÅ…»Ž›úïò_`eO‚qøC*P•&>׉åºÏ7BºÌ 184冀ˆˆzêÔésMcn®:hN!‡‚ µ±°¨dÓf ;d+8ÅO–¨à«ÔàS„Œ`=z³?üòÂÇ`×3{ÜŠÑ«Ø ;ÓQ€é/T *M|G g_üâãFŽÁa¶!Rù/ b¤’sÅÞ ø¦¦¦ETăѱƒÇ·±¾¡i»ÓN,¹þñ».yà*Åãdp‚Ú~©Àzâ¿™=yÃ…OÁ~uáa¿fö´dô^ÂØ ;ÓQ„•€M%÷J| ¸¤Nü8lÙp¶!"¢ ˆÐ9€ø폨ø†GQ±·¯ÿÐÄaØø¡ Sˆ cdÇÒ9ÅIœêhDíIÎtžý¿Ÿåö܍°ïÁž7‰í‰Cžápñ&TÐ|ä: Jî’—

hbàÛ‘ÉÎC‡xTì<:<9 ›8< ß)1Saw­Âî:pÌ}TjŒ‡uË^æöÊÿ0•Ûk·êž§hș⭚ÏÞ¨¢T½RqIž(UüɃס–Ñ8ãn÷ï4D|Ÿ#GŽ"¯A±"ßôô1dCSˆí]H"²Î¼lé L«È~GiŽ±»%/îq8Ãßþ7½À½ì%Áú춬 »Ùë£çiìü'+}é–‹š„’åy€\I”ÄW]ô3TrPÝ°Ñྋ™t™ž;„ÁËffŽ;6c ±¤´ì£×ˆ_ˆÄÂ&i•¥×hüîIbÇC¥î•[,Ôˆè¼ûíVÂîøÁ›6 ;`7ìü†Àʁ š„’%°:Ž"®rƒ ºì•§ÅÏY½fíÞÀ¨˜øY!"'BÞ 2é25…° ×DÈ­|3…˜¾/CÎz¬0®GZå×éØ1§C¨D{Y€ãNôºŠŒ¸¼uÇÅoÝyñŸ™]ò6Ù]cÏÓ>؇¨L9Ð×µ(™Wr—4áxÝ…¤sTg¼þñ»…3"¢Bº|W âÓOœ<É_? "Á?~ü„ºé É bJÖ[r•%lB<°|§cG¡Rõ8œJ ,Ö;ÜÞ…ÝÍl•£WßU÷û®‹9S…&ÞÖ‚òVö¡ŠKj9âKB²Š ú û!—=ü+¹Àm—=ƒCOœ8y® âsÏœ9ƒŠ‚ƒÃàj¦ƒÅ¯C¬DNR,Ë¥°ù4Ïwzv

<¸¿ª¢¯¿ dÒˆK\Eå scÍãÌø6:̘Ê6vp“v¦Ã‡GG¡+z{Ÿpû{¥–ãJ®]Wˆ *9ãSŠ¼a5#~2û¢ŸÉU¿ËnwkEÛ)T Nà7Ÿrúôé¶6Ö㈤(ñP&!ÊÁSÅw•Š‰OœÏßȲÞË·8„{Jø¬²£ '\Ž£;8ÓÑDÄǬö=áþ!eLŽ¯ËΨfFüüJ‹ñþËïy~¹=ÂFôbÄÆ'"1ñ)==}ˆs-­pÁnülüp#ÄŒŒ,}ðTðqÝB‰O-¼RxíÖŠÚjÆÎßȈÀGìdp4ãcãÌ*vH5ö/½dŠ²§§¿qÏG,]Êßæ5ˆT¹3òˆjø„¢6œúúšBý‰ûËʿ÷ªÆ¦–¦æ[email protected]'P±¬¼Â€ïJ->%ñ)¢gcÅíHõ  àé âÌoqÜ&ÊvV÷‘òÔãSKªV²"8«ë vÚyhVj¶iâÍò¦§¦5ûúžÄîSjáŒoßÅ"*j‘M ruºøJÔ‰¢Øwزîg4B¥š¾ŽXʺݏ«­k¨«oD¤œm#ÄаÑhÆZ]¨l_FÊSÉŠ÷½ªâ“zïÜ‚føT¹b…‘"·Ã‡›ë¯œŸÐÕ××_XXˆ ö•´"û“žÿÛ÷iœQŽ¨zˆBØP‰ÁŠýËþ•H+î{¼L!î ¡!‹ªÐKáÚÍÍ-5µõ€ J ¡2ÄŠÊ*ñ=Y›çý—+eû£¼p ´4«««KKKQ ˆñ¾ Ä÷­AdÂF)1Pìã‡?¦ªžE†»‡·)D1Œ?/¿p¡$ ç±²ªºê@ ¢ìêîÑA¬®©ñ󲥿’ÒW/HîÏ)e;Sà$ ]´ø[email protected]|ÂõLØ8…ÑáÙÌBSEYVV¶ÿþŽŽS‚ˆ-RÒ¢" ¥Nä-6BÕP,}àŠë¿[ÄR1PJ†ˆX*n¨™šš:7$ „t©¨<ˆM͝]ÝÔš-CtÚ±S–`ñóÁ«ôéïß [email protected]ÈQîøpN::;mà3u=…mjG¸ÙD‰ü[^^ˆMMMÖ ˆ[¬AdêT­_¾E‘¦"!bé¶íÎòl¢¸+ª¸¤ôì݈äN7÷`ÔoÍ–!æäækô§!~*ê‰~Åm¬~ëÖŠŇsÒÙÙi ܼ­½S±ÅÚë:{kjj©¬¨Äææf bÿ€Q §¼Ä`u"µØ0Us‹šo`Jà%–ʺg„ˆXJ÷'ú¥ª°iY ¢Ž­Ù2ÄÏÖ®·4¿þ¤òÇÏï='ÒßmL³!ý1Æر¢UU¢m‚:OÔQm±áª†%Dc,½ÿrÑÚæà¸]7ï A„IJòŠ³qC8 ®>k 6·°¶PÄ”Ôt1ÎS¦?Y¿ƒ6~jÒŸ„ïC†ïÇŸ<ÐÙÙ%)OCð”#§.l9:yT¶©#dSS_šdf9¤¥¹åÀj‚8+Á¯ŒÂæ=QìKªÆKÕâºôák/XråO¼NHxœ"|“n÷FÝqòäü;ñ¿øâÀ*)-DȨPjЖ[email protected]¡?¥ø)ÒÔáŸãûˆá»t5'¨-¬á“sÜ¬àŽªfJ“Ž­©©…J#ˆ8cöBP!¾/ Ê Q©-º”j¸¤ÝO[·g DqÏ>NõWóª Ù˜'àzÅ%û±¶*¦U1#3[€úS-´éð-úñÇ÷ߥkƒ ¦Ée6K-óY,½‰±‘%Í’«.Y|µÈ†tW”"jCš=#m_æ©S§æá†ø†ÃÃ#…E¥EÅ¥ˆ¢¨©KB†¸mûÈÌ-l|éOmü$ õ"ð]úéx´Q|ŠÆ1=>«ì,°¦¦MGG!«¢œkkëfffæ1Î÷ߌ±”t)~>IJÙpç.Wã\p JS  '>|x®-¥Ô[[ßPPXˆ4S"Ô© RÔ: "`HJñSJ—®¾Å—~¶¤‹Ôâ›°Ÿ`'HM6£šòŒåÀÀ@CCƒžØÓÓ348„¯sôèQÄ"{ J ‘ÅRE—šº!²áb– Emh:¡Ÿ˜Çæ@u 2Úœ‚øôôta1M©TRS[‚:ˆ~þ–PvÀ'ŒÈéOKü>‹^úÙƒŒ Yüäø&'fç73›)(q`gª‰

%PDF-1.6 %äãÏÒ 1 0 obj [/PDF/ImageB/ImageC/ImageI/Text] endobj 4 0 obj <</Length 5 0 R /Filter/FlateDecode >> stream xœ endstream endobj 5 0 obj 8 endobj 6 0 obj <</Subtype/Image /Width 150 /Height 150 /BitsPerComponent 8 /ColorSpace/DeviceRGB /Filter/FlateDecode /Length 7 0 R >> stream xœígx]ŵ÷!!›póá^¾¼onè á’¼¸@hƒ &6„zÁÀIè6ظɲ-˲%Y]Vï½Z½ËjVï½Ë²lÉr’ûþgÖÞsf—st$ ‰÷³=Gçì}ÊþíµÖÍ̞ùßÿ=¿ßÎoç·óÛùíüv~;¿ßÎosޞjk﬩­/.-ËÍ/ŒOLŽKHŽOŠ‰KŒŽM€EÅÄGFÇEDņGÆÀÂ"¢³sóaûË*êšpøää‘sý;þ…¶écÇúúªkëò ŠSÓ3SÒ2RR÷%§¦'¥¤'&§%$ ¥Æ'¦Ø14<*$ ,’,($ †7))-ëìꞜœ<׿òŸm;yêÔÀà`]}#\,3+7#3g_FvzFVÚ¾,Sˆx”’Ãㄤ”ø4ŽJƒÃ‚BaØ­¨¤´£³ëÌ™3çúׇ·S§N WVUçææä îeåäefç ˆY9YÙyx>'¯ûäååçåãùþ2tÎ:…œ@ASÑ? æ·7(;'ï<Ê9m_~ùåÁƒãÈP…%ŒHAˆˆpâ’â’²Òýå°XiYqÉþ¢âÒ¢Råû ê<~Ë<484BÑ×?–•Û××®OÏ·z;}útOoyE•ŽHAa10••WÂ+*À°þ…YXˆ"‡Â7‘4]÷†È}üÂ#£Tל>ï’Ú ì !tD`eåUªkkjêªkêð ê@Í7 QÄXDW¢·ïހÀ|¹cÇfÎõ™;÷ÛéÓgÚ;:C&@5µu MP/0T ç"R. ½|üaˆêǎ;×gñÜlÐ=½} "pà/56575·66µ€à· "B+4R¤[email protected]Õ\ŠçúŒ~£ÛÈÈh}}#p"õ -­íÜÚš[Zç€âyáŸèéåóðòñðdæã»72:6" ¥DtjzÆÙ@¤b)[email protected]ôôöójmm;×çõ›ØŽÍ̀b$ pÔp …@ kkïhmë°bfVNDd´¯_Àf‡­«×¬]õ—÷ædŸ­]¿~ÃfW7$ 50š+DªAWD/ß„Ääééés}Ž¿® eÂððáA–è›;;»;»z cPsÙ1'7?4,b‡³Ë~2Wd¶íãO>Å•àíãrÞ~ˆpFè$ Gq§OEeÕ¹>Ù¿Í?ÞÖÖÑÐØL8ðà»z»º{f…˜_Päãë¿æÓu6¼òÖÊ'þôâ²Wž¾ý™mö­úÏvûò«¯úú…CØ ã¯mˆyù.»\§§Ôpædkñ•,¹ò‚¯ºàÁ«/xèê–’]sÁÃ’á_z;`7ìŒCp aå@q1€&|Ùø¹[·CÙΈˆJÝ=¼‹JJq ŸkóÜNž< 4¡ÀhxddxdthxÄÄä”´›¶Áýæ©E?yðj„ì!"uí¿¿ö‚e?g¶üç.ÿÅ…»Ž›úïò_`eO‚qøC*P•&>׉åºÏ7BºÌ 184冀ˆˆzêÔésMcn®:hN!‡‚ µ±°¨dÓf ;d+8ÅO–¨à«ÔàS„Œ`=z³?üòÂÇ`×3{ÜŠÑ«Ø ;ÓQ€é/T *M|G g_üâãFŽÁa¶!Rù/ b¤’sÅÞ ø¦¦¦ETăѱƒÇ·±¾¡i»ÓN,¹þñ».yà*Åãdp‚Ú~©Àzâ¿™=yÃ…OÁ~uáa¿fö´dô^ÂØ ;ÓQ„•€M%÷J| ¸¤Nü8lÙp¶!"¢ ˆÐ9€ø폨ø†GQ±·¯ÿÐÄaØø¡ Sˆ cdÇÒ9ÅIœêhDíIÎtžý¿Ÿåö܍°ïÁž7‰í‰Cžápñ&TÐ|ä: Jî’—

hbàÛ‘ÉÎC‡xTì<:<9 ›8< ß)1Saw­Âî:pÌ}TjŒ‡uË^æöÊÿ0•Ûk·êž§hș⭚ÏÞ¨¢T½RqIž(UüɃס–Ñ8ãn÷ï4D|Ÿ#GŽ"¯A±"ßôô1dCSˆí]H"²Î¼lé L«È~GiŽ±»%/îq8Ãßþ7½À½ì%Áú춬 »Ùë£çiìü'+}é–‹š„’åy€\I”ÄW]ô3TrPÝ°Ñྋ™t™ž;„ÁËffŽ;6c ±¤´ì£×ˆ_ˆÄÂ&i•¥×hüîIbÇC¥î•[,Ôˆè¼ûíVÂîøÁ›6 ;`7ìü†Àʁ š„’%°:Ž"®rƒ ºì•§ÅÏY½fíÞÀ¨˜øY!"'BÞ 2é25…° ×DÈ­|3…˜¾/CÎz¬0®GZå×éØ1§C¨D{Y€ãNôºŠŒ¸¼uÇÅoÝyñŸ™]ò6Ù]cÏÓ>؇¨L9Ð×µ(™Wr—4áxÝ…¤sTg¼þñ»…3"¢Bº|W âÓOœ<É_? "Á?~ü„ºé É bJÖ[r•%lB<°|§cG¡Rõ8œJ ,Ö;ÜÞ…ÝÍl•£WßU÷û®‹9S…&ÞÖ‚òVö¡ŠKj9âKB²Š ú û!—=ü+¹Àm—=ƒCOœ8y® âsÏœ9ƒŠ‚ƒÃàj¦ƒÅ¯C¬DNR,Ë¥°ù4Ïwzv

<¸¿ª¢¯¿ dÒˆK\Eå scÍãÌø6:̘Ê6vp“v¦Ã‡GG¡+z{Ÿpû{¥–ãJ®]Wˆ *9ãSŠ¼a5#~2û¢ŸÉU¿ËnwkEÛ)T Nà7Ÿrúôé¶6Ö㈤(ñP&!ÊÁSÅw•Š‰OœÏßȲÞË·8„{Jø¬²£ '\Ž£;8ÓÑDÄǬö=áþ!eLŽ¯ËΨfFüüJ‹ñþËïy~¹=ÂFôbÄÆ'"1ñ)==}ˆs-­pÁnülüp#ÄŒŒ,}ðTðqÝB‰O-¼RxíÖŠÚjÆÎßȈÀGìdp4ãcãÌ*vH5ö/½dŠ²§§¿qÏG,]Êßæ5ˆT¹3òˆjø„¢6œúúšBý‰ûËʿ÷ªÆ¦–¦æ[email protected]'P±¬¼Â€ïJ->%ñ)¢gcÅíHõ  àé âÌoqÜ&ÊvV÷‘òÔãSKªV²"8«ë vÚyhVj¶iâÍò¦§¦5ûúžÄîSjáŒoßÅ"*j‘M ruºøJÔ‰¢Øwزîg4B¥š¾ŽXʺݏ«­k¨«oD¤œm#ÄаÑhÆZ]¨l_FÊSÉŠ÷½ªâ“zïÜ‚føT¹b…‘"·Ã‡›ë¯œŸÐÕ××_XXˆ ö•´"û“žÿÛ÷iœQŽ¨zˆBØP‰ÁŠýËþ•H+î{¼L!î ¡!‹ªÐKáÚÍÍ-5µõ€ J ¡2ÄŠÊ*ñ=Y›çý—+eû£¼p ´4«««KKKQ ˆñ¾ Ä÷­AdÂF)1Pìã‡?¦ªžE†»‡·)D1Œ?/¿p¡$ ç±²ªºê@ ¢ìêîÑA¬®©ñ󲥿’ÒW/HîÏ)e;Sà$ ]´ø[email protected]|ÂõLØ8…ÑáÙÌBSEYVV¶ÿþŽŽS‚ˆ-RÒ¢" ¥Nä-6BÕP,}àŠë¿[ÄR1PJ†ˆX*n¨™šš:7$ „t©¨<ˆM͝]ÝÔš-CtÚ±S–`ñóÁ«ôéïß [email protected]ÈQîøpN::;mà3u=…mjG¸ÙD‰ü[^^ˆMMMÖ ˆ[¬AdêT­_¾E‘¦"!bé¶íÎòl¢¸+ª¸¤ôì݈äN7÷`ÔoÍ–!æäækô§!~*ê‰~Åm¬~ëÖŠŇsÒÙÙi ܼ­½S±ÅÚë:{kjj©¬¨Äææf bÿ€Q §¼Ä`u"µØ0Us‹šo`Jà%–ʺg„ˆXJ÷'ú¥ª°iY ¢Ž­Ù2ÄÏÖ®·4¿þ¤òÇÏï='ÒßmL³!ý1Æر¢UU¢m‚:OÔQm±áª†%Dc,½ÿrÑÚæà¸]7ï A„IJòŠ³qC8 ®>k 6·°¶PÄ”Ôt1ÎS¦?Y¿ƒ6~jÒŸ„ïC†ïÇŸ<ÐÙÙ%)OCð”#§.l9:yT¶©#dSS_šdf9¤¥¹åÀj‚8+Á¯ŒÂæ=QìKªÆKÕâºôák/XråO¼NHxœ"|“n÷FÝqòäü;ñ¿øâÀ*)-DȨPjЖ[email protected]¡?¥ø)ÒÔáŸãûˆá»t5'¨-¬á“sÜ¬àŽªfJ“Ž­©©…J#ˆ8cöBP!¾/ Ê Q©-º”j¸¤ÝO[·g DqÏ>NõWóª Ù˜'àzÅ%û±¶*¦U1#3[€úS-´éð-úñÇ÷ߥkƒ ¦Ée6K-óY,½‰±‘%Í’«.Y|µÈ†tW”"jCš=#m_æ©S§æá†ø†ÃÃ#…E¥EÅ¥ˆ¢¨©KB†¸mûÈÌ-l|éOmü$ õ"ð]úéx´Q|ŠÆ1=>«ì,°¦¦MGG!«¢œkkëfffæ1Î÷ߌ±”t)~>IJÙpç.Wã\p JS  '>|x®-¥Ô[[ßPPXˆ4S"Ô© RÔ: "`HJñSJ—®¾Å—~¶¤‹Ôâ›°Ÿ`'HM6£šòŒåÀÀ@CCƒžØÓÓ348„¯sôèQÄ"{ J ‘ÅRE—šº!²áb– Emh:¡Ÿ˜Çæ@u 2Úœ‚øôôta1M©TRS[‚:ˆ~þ–PvÀ'ŒÈéOKü>‹^úÙƒŒ Yüäø&'fç73›)(q`gª‰


SANS Information Security Reading Room


Limor Kessem

Executive Security Advisor, IBM

Limor Kessem is one of the top cyber intelligence experts at IBM Security. She is a seasoned security advocate, public speaker, and a regular blogger on the cutting-edge IBM...

See All Posts

IBM X-Force Research observed that a relatively new Zeus Trojan variant known as Panda, or Panda Banker, that started targeting banks in Europe and North America early this year has now spread to Brazil. According to IBM X-Force Research, Panda now targets 10 local bank brands and multiple payment platforms right as Brazil prepares to host a global sporting event.

Commercialized Malice

As its name suggests, Zeus Panda is yet another Zeus v2 Trojan iteration built upon the same source code leaked in 2011 — one that evidently keeps enabling the delivery of more commercial banking Trojans into the world.

IBM X-Force Research believes that Zeus Panda is being peddled via Dark Web underground boards by the developer who put it together. It is sold in cybercrime-as-a-service packages to other cybercriminals.

Panda Arrives in Brazil

IBM X-Force Research has been detecting Zeus Panda variants since Q1 2016. At first, botnets spreading and attacking users with this malware primarily targeted banks in Europe and North America, focusing on the U.K., Germany, the Netherlands, Poland, Canada, the U.S. and others. While Panda configurations focus on targeting personal online banking services, they are rather diverse. Other targets include online payments, prepaid cards, airline loyalty programs and online betting accounts, to name a few.

Panda is clearly one hungry bear. The malware continues to spread to new geographies and is now targeting users in Brazil. First appearing in Brazil in July 2016, the related Panda variant likely has links to a locally operated, professional cybercrime faction. The variants fetched a new Brazil-focused configuration, which was set up to steal credentials from users of 10 major bank brands in the country, as well as those of bitcoin exchange platforms, payment card services and online payments providers, among others, per X-Force findings.

Panda’s Big Appetite for Local Grub

Zeus Panda’s Brazilian configuration file has a notable local hue. Aside from including the URLs of major banks in the country, Panda’s operators are also interested in infecting users who access delivery services for a Brazilian supermarket chain, local law enforcement websites, local network security hardware vendors, Boleto payments and a loyalty program specific to Brazil-based commerce. Other targets include customer logins to a company that offers ATM management services and secure physical access technology for banks.

Who is behind this new botnet? Attribution remains elusive. However, from the attack flows analyzed by X-Force Research, it is evident that Brazil’s Panda gang is very well-versed in the operation of banking Trojans of this grade. In comparison to other Zeus Panda botnets, and most banking Trojan configurations in general, this Brazilian iteration suggests the involvement of a professional cybercrime group that is at least partly located in Brazil. A hint pointing to Panda’s operators’ possible origins is the URL of a Russia-based online service that helps users with instant money transfers, payments, top-up and output via online payments platforms, payments through mobile operators and more.

Read the white paper: Fraud protection doesn’t have to be an uphill battle

Teaching a New Panda Old Tricks

Is there anything special about Zeus Panda at this time? The malware is based on existing code and performs the same online fraud methods that X-Force researchers see with other banking Trojans. Panda grabs login credentials on the fly, is capable of injecting malicious code into ongoing web sessions to trick users with social engineering, and its operators are versed in the use of automated transaction panels (ATS).

According to attack attempts detected by IBM Security antifraud solutions, Panda’s operators’ favored fraud methodology is account takeover, in which victim credentials are stolen and then used to initiate a transaction from another device. The victim is held online by deceptive pop-up windows that require one-time passwords and allow the attacker to complete a fraudulent transaction in real time.

Zeus Panda’s top infection vector is poisoned Word documents with macros that activate the malware deployment on victims’ machines. It has been seen to spread via popular exploit kits, such as Angler and Neutrino. It also targets company email addresses with personalized messages designed to lure victims on a more selective basis than indiscriminate spam.

Under the hood, this Trojan does feature a few modifications, mostly relevant to its encryption and communications schemes, which were recently reported in detail.

Zeus All Over

From a global perspective, Zeus variations remain one of the most dominant malware problems to affect the financial sector. Looking back at the past five years, Zeus-based banking Trojans maintained one of the top ranks on the global malware chart based on the attack volumes they facilitate.

Figure 1 lists the top financial malware in the world for the first half of 2016. Ranking third is the Zeus variations line, which accounts for 15 percent of attacks worldwide and includes Zeus VM, Citadel and Panda variants, as well as generic Zeus v2 deployments operated by small cybercrime factions in different parts of the world.

Top Financial Malware per Attack Volume (Source: IBM Trusteer)

Figure 1: Top Financial Malware per Attack Volume (Source: IBM Trusteer)

What’s Next for Panda?

Panda’s move to Brazil is a very interesting occurrence in the country. Brazil’s cybercrime landscape is dominated by relatively simplistic codes designed for specific fraud scenarios, such as Boleto fraud, remote access fraud and malware used for phishing.

Zeus Panda may not be the first ever modular banking Trojan to operate in Brazil, but it is definitely a major step up from the malicious Delphi-based malcode that’s so typical in the country. This migration of a new and commercial Zeus variant into Brazil also underscores the growing collaboration between Brazil-based cybercriminals and cybercrime vendors from other countries and underground communities — a trend that has been picking up speed in Brazil since the beginning of this year.

Judging by recent emerging campaigns observed by X-Force Research, Zeus Panda appears to be an active and evolving project that is being commercialized to cybercriminals through Dark Web forums. As such, we expect to see more variations of this malware and new botnets appearing in the coming months, likely targeting different countries beyond those appearing in current configurations.

In the last few years, malware developers have been disinclined to sell banking Trojans in the underground for fear of being discovered by law enforcement. Panda’s vendor may or may not continue to sell the malware at the risk of encountering the same fate that befell other malware authors in the recent past.

Mitigating Zeus Panda Attacks

IBM Security has studied the Zeus Panda banking malware and its various attack schemes and can help banks and targeted organizations learn more about this high-risk threat. To help stop threats like Panda Banker, banks and service providers can use adaptive malware detection solutions and protect customer endpoints with malware intelligence that provides real-time insight into fraudster techniques and capabilities, designed to address the relentless evolution of the threat landscape.

Users looking to prevent malware infections on their endpoints must keep their operating system up to date at all times, update frequently used programs and delete those they no longer use. Browsing hygiene for the prevention of Trojan infection includes disabling ads and avoiding susceptible sites typically used as infection hubs, sites such as adult content, torrents and free gaming, to name a few. Also, since Panda Banker and similar banking malware is usually delivered as an email attachments, never click on links or attachments in unsolicited email.

Sample MD5

Sample MD5 hashes for the Panda Trojan are:

  • 9dd9705409df3739183fb16583686dd; and
  • 541a13676ca56ca69459326de5701e9c.

AV aliases include Gen:Variant.Graftor.296387, according to VirusTotal.

IBM X-Force Research will be updating information and IOCs on Panda Banker via the X-Force Exchange platform. Join XFE today to keep up to date regarding this threat and other findings from our cybercrime labs.

Fraud protection doesn’t have to be an uphill battle – Read the white paper

Topics: Banking Trojan, Brazil, Fraud, IBM X-Force Research, Malware, Panda, Panda Banker, X-Force, Zeus Panda


Security Intelligence