Home > Cyber News > Panda Banker Distributed via Macros in Word Documents and EKs

Panda Banker Distributed via Macros in Word Documents and EKs

banking-malware-stforum Banking malware has evolved a lot during the last couple of years. New banking malware pieces keep on emerging, targeting banks all over the globe. The latest threat of the kind has been identified by researchers at Proofpoint and Fox IT InTELL. Panda banking Trojan shares features with the infamous (and relatively old) Zeus, and is currently attacking banks in Australia and the United Kingdom.

More Banking Trojans to Keep Away from:
Acecard, Android Trojan and Phishing Tool Targets Over 30 Banks
Banking Botnets 2015: Multiple Attack Scenarios, More Features

Panda Banker: A Look into the Attack

According to researchers, the first attacks, initiated via malicious Microsoft Word files, were registered on March 10. As usual, particular vulnerabilities in MS Word are exploited, identified as:

(From cve.mitre.org)

Microsoft Word 2003 SP3, 2007 SP3, 2010 SP1 and SP2, 2013, and 2013 RT; Word Viewer; Office Compatibility Pack SP3; Office for Mac 2011; Word Automation Services on SharePoint Server 2010 SP1 and SP2 and 2013; Office Web Apps 2010 SP1 and SP2; and Office Web Apps Server 2013 allow remote attackers to execute arbitrary code or cause a denial of service (memory corruption) via crafted RTF data, as exploited in the wild in March 2014.

(From cve.mitre.org)

The (1) ListView, (2) ListView2, (3) TreeView, and (4) TreeView2 ActiveX controls in MSCOMCTL.OCX in the Common Controls in Microsoft Office 2003 SP3, 2007 SP2 and SP3, and 2010 Gold and SP1; Office 2003 Web Components SP3; SQL Server 2000 SP4, 2005 SP4, and 2008 SP2, SP3, and R2; BizTalk Server 2002 SP1; Commerce Server 2002 SP4, 2007 SP2, and 2009 Gold and R2; Visual FoxPro 8.0 SP1 and 9.0 SP2; and Visual Basic 6.0 Runtime allow remote attackers to execute arbitrary code via a crafted (a) web site, (b) Office document, or (c) .rtf file that triggers “system state” corruption, as exploited in the wild in April 2012, aka “MSCOMCTL.OCX RCE Vulnerability.”

In order for those vulnerabilities to be exploited, the potential victim is lured into enabling the macros within the Word files. As for the files themselves, they are being spread in targeted email campaigns. During the detected attack, the emails were sent to individuals working at mass media and manufacturing corporations. In a successful attack, upon enabling the macros in the Word document, Panda banking malware is downloaded from 78.128.92[.]31/gert.exe – a subnet used for various targeted attacks, as pointed out by the research team.

What Kind of Information Does Panda Banker Steal?

Once a connection with the command & control server is established, Panda banker will send home information such as (but not limited to):

  • Current username;
  • Running AV program and firewall;
  • Details about the operating system;
  • Name of the computer.

Once the needed information is sent and received, the command & control server responds with a configuration file that contains other C&C servers. Also, the file contains a list of websites (banking portals) for Panda to compromise by inserting malicious code.

According to Proofpoint’s research, clients of the following banks are targeted: Santander Bank, Lloyds Bank, Bank of Scotland, TSB, and Halifax UK.

Another distribution method employed by Panda’s creators is via exploit kits. This is what the researchers say:

We observed at least three different exploit kits delivering Panda Banker since March. These include Angler Exploit Kit, Nuclear Exploit Kit, and Neutrino Exploit Kit. Our observations show that geo-filtering was used to deliver the Panda Banker payload in Australia and UK.

Panda Banker Removal. Protection and Prevention

Banking Trojans have caused great damage to unsuspecting users, generating fraudulent transactions and stealing banking credentials. Attack scenarios can go even worse, if the particular banking Trojan installs additional malware such as ransomware. Since banking malware continues to be a huge issue in cyber security, it’s only natural to ask oneself how becoming a victim can be avoided.

For obvious security-related concerns, macros are usually disabled by Microsoft by default. However, cyber criminals know that and always find ways to make potential victims enable macros and subsequently get infected, exactly like in the case of Panda attacks.

In short, to increase one’s security against banking malware, and any malware really, follow these steps:

  • Disable macros in Microsoft Office applications.The very first thing to do is check if macros are disabled in Microsoft office. For more information, visit Microsoft Office’s official page. Keep in mind that if you are an enterprise user, the system administrator is the one who is in charge of the macro default settings.
  • Don’t open suspicious emails. Simple as that. If you receive an unexpected email from an unknown sender – like an invoice – don’t open it before making sure it is legitimate. Spam is the primary way of distributing macro malware.
  • Employ anti-spam measures. Use anti-spam software, spam filters, aimed at examining incoming email. Such software isolates spam from regular emails. Spam filters are designed to identify and detect spam, and prevent it from reaching your inbox. Make sure to add a spam filter to your email. Gmail users can refer to Google’s support page.

And don’t forget to keep your anti-malware program updated and running at all times!

Milena Dimitrova

An inspired writer and content manager who has been with SensorsTechForum since the project started. A professional with 10+ years of experience in creating engaging content. Focused on user privacy and malware development, she strongly believes in a world where cybersecurity plays a central role. If common sense makes no sense, she will be there to take notes. Those notes may later turn into articles! Follow Milena @Milenyim

More Posts

Follow Me:

Leave a Comment

Your email address will not be published. Required fields are marked *

This website uses cookies to improve user experience. By using our website you consent to all cookies in accordance with our Privacy Policy.
I Agree