Despite a tendency of criminals to abandon banking malware in favor of ransomware, there is no reason to let down your guard. The ZeuS banking malware has been reported about a number of times already. It used to be one of the most notorious and prolific pieces of malware around. Lately, researchers at G DATA Advanced Analytics have observed an increase in the number of infections. They have taken a look at samples of a current iteration of its binaries and were even able to catch a glimpse of the banking Trojan’s control panel – something usually only the criminals behind the malware get to see.
One of the key ingredients of Banking Trojans are called web injects. In short, a web inject adds HTML code into the network traffic of a browser.
The first thing that stands out is the size of the stage 2 sample, which at 91.8 kb is quite large for a script of this type. While file size alone is not usually a reliable indicator for the number of features, it became evident that the range of features in ZeuS Panda is pretty extensive.Some of the features include generic data stealing mechanisms (form grabber), which work on any website, other functions are target-specific.
For a length of time, our researchers also have had access to the control panel of ZeuS Panda. We were able to locate the URL of one of the control panels (see screen shot) which are usually only accessible for the attackers. The stolen data consists of the botID, stolen login data, browser version and a couple of other data points.
The analysis is ongoing and we will post further results as they become available. For technical details, please head over to the blog of G DATA Advanced Analytics.
All G DATA customers are protected from the ZeuS Panda malware by a combination of G DATA’s BankGuard and other protective technologies.