Analysis of a current version of a notorious banking malware
How banking Trojans work
One of the key ingredients of Banking Trojans are called web injects. In short, a web inject adds HTML code into the network traffic of a browser.
The first thing that stands out is the size of the stage 2 sample, which at 91.8 kb is quite large for a script of this type. While file size alone is not usually a reliable indicator for the number of features, it became evident that the range of features in ZeuS Panda is pretty extensive. Some of the features include generic data stealing mechanisms (form grabber), which work on any website, other functions are target-specific.
For a length of time, our researchers also have had access to the control panel of ZeuS Panda. We were able to locate the URL of one of the control panels (see screen shot) which are usually only accessible for the attackers. The stolen data consists of the botID, stolen login data, browser version and a couple of other data points.
The analysis is ongoing and we will post further results as they become available. For technical details, please head over to the blog of G DATA Advanced Analytics.
All G DATA customers are protected from the ZeuS Panda malware by a combination of G DATA’s BankGuard and other protective technologies.