A Zeus Trojan variant known as Panda has now spread to Brazil, targeting banking and payment industry targets just as the country prepares to host the Olympic Games.
According to IBM X-Force Research, the Brazil-focused configuration of Panda is a hungry bear: It was set up to infect users of 10 major Brazilian banks, while also stealing the credentials of those using Bitcoin exchange platforms, payment card services and online payments providers, amongst other targets. It first appeared in July.
“With increased payment activities expected in the country surrounding the Olympics, it’s no surprise the cybercriminals are increasing their activities in Brazil to take advantage,” said IBM security researcher Limor Kessum, in a blog.
She added that Panda’s operators are thinking local in their appetites: They’re also interested in infecting users who access delivery services for a Brazilian supermarket chain, local law enforcement websites, local network security hardware vendors, Boleto payments and a loyalty program specific to Brazil-based commerce. Other targets include customer logins to a company that offers ATM management services and secure physical access technology for banks.
But, X-Force researchers who analyzed the malware's attack schemes noticed that it fetches data from resources hosted on Russian domains.
“This migration of a Zeus variant into Brazil suggests collaboration between Brazil-based cybercriminals with cybercrime vendors from Eastern Europe, a trend which has been picking up speed in Brazil since the beginning of this year,” Kessum said.
While Brazil’s cybercrime landscape is typically dominated by relatively simplistic codes designed for specific fraud scenarios, Kessum said that the sophistication level of Panda is a major step up from typical Brazilian malware schemes. Like other banking Trojans, it grabs login credentials on the fly, is capable of injecting malicious code into ongoing web sessions to trick users with social engineering, and its operators are versed in the use of automated transaction panels (ATS).
“According to attack attempts detected by IBM Security antifraud solutions, Panda’s operators’ favored fraud methodology is account takeover, in which victim credentials are stolen and then used to initiate a transaction from another device,” Kessum said. “The victim is held online by deceptive pop-up windows that require one-time passwords and allow the attacker to complete a fraudulent transaction in real time.”
Photo © Karel Cemy