Panda Banker trojan now targeting victims in the US, Canada, and Japan

• Panda Banker is now spreading via the Emoted trojan’s distribution platform.
• The malware first emerged in 2016, but has since been upgraded multiple times and still continues to be a persistent threat.

A new malicious campaign distributing the Panda Banker trojan has been discovered by the security experts. The trojan was also observed being distributed via the Emotet banking malware’s distribution platform, presumably to hide its activities. The malware, which is a variant of the Zeus, first emerged in 2016, but has since been upgraded multiple times and still continues to be a persistent threat.

According to tot security researchers at Cylance, who discovered the new campaign, Panda Banker has been targeting victims in the US, Canada, and Japan and is focused on stealing credit card data, bank account information and online wallets.

Modus Operandi

The malware begins by checking the targeted system’s environment to determine whether any antivirus or sandboxing programs are present. If the malware detects any malware detection tools, it withdraws and deletes the payload.

Once Panda Banker has ensured that the coast is clear, it creates a copy of itself and launches it before exiting the system. The malware then waits for the infected system to visit a targeted website, like that of a bank or a credit card firm.

“When a target site is visited the malware injects a target-specific grabber script to steal bank account, credit card, and personal information,” Cylance researchers wrote in a blog. “Panda Banker intercepts a browsers web traffic through API hooking. It injects malicious scripts into a target web page on the victim’s web browser. It also impairs web browser security by removing the Content Security Policy header.”

Malware capabilities

Apart from stealing credit card numbers, Panda Banker also obtains purchase and withdrawal limits for both credit and debit cards. The malware also steals bank account information and personal information from payroll systems and cryptocurrency wallets.

Panda Banker began targeting financial entities in Japan in March 2018. The cybercriminals behind the campaign went after well-known firms and in one case a major bank. Panda Banker also targeted the users of a porn video streaming service and another video streaming company.

“Panda Banker is a heavily obfuscated, highly configurable, and active malware. Threat actors use this malware to steal bank/credit card information, personal data, and web wallet/blockchain information,” Cylance researchers added. “Major targets include companies in United States, Canada, and Japan.”