As the 2016 Summer Olympic Games nears its opening its opening in Rio de Janeiro, Brazil, it seems that the host country can’t catch a break. Reports have already surfaced of toxic pollution in the water, disastrous damage to competition areas, and even a few deaths; and now another problem is being added to the mix—malware.
IBM X-Force Research, the security research arm of IBM, recently found that a Zeus Trojan variant called Panda, or Panda Banker, has made its way to Brazil. According to IBM, “10 local bank brands and multiple payment platforms” are the targets, which could add massive complications with the Olympics so imminent.
This trojan was originally hawked as the Zeus crimeware kit for years, but one of the first major hacks committed with it was the stealing of information from the US Department of Transportation in 2007. The source code for the Zeus trojan was released back in 2011.
Despite its early exploits, Zeus is primarily used to steal banking or financial information. Zeus accomplished this through a variety of means, most commonly man-in-the-browser keystroke logging and form grabbing. CryptoLocker ransomware can also be installed using Zeus.
Zeus Panda is an iteration of the Zeus v2 Trojan, which is built upon a foundation of the 2011 source code, IBM said. X-Force researchers believe it is sold in cybercrime-as-a-service packages to cybercriminals.
The first variants of Zeus Panda first showed up on IBM’s radar in the first quarter of 2016. Europe and North America, primarily the UK, Germany, the Netherlands, Poland, Canada, and the US, were the early targets, with attacks going after “online payments, prepaid cards, airline loyalty programs and online betting accounts,” among other things, IBM’s blog post on the trojan said.
As of July 2016, though, Zeus Panda is live in Brazil, and IBM believes it is linked to a local cybercrime faction. The version of Zeus Panda found in Brazil has a Brazil-focused configuration to steal Brazilian bank patrons’ account credentials, but it’s also going after Bitcoin exchange platforms, payment card services, and online payments providers, X-Force Research said. A Brazilian supermarket chain’s delivery arm is also being targeted.
While Zeus Panda operates relatively the same as other Zeus variants, IBM researchers have found that the Panda operators tend to favor account takeover, which is where “victim credentials are stolen and then used to initiate a transaction from another device. The victim is held online by deceptive pop-up windows that require one-time passwords and allow the attacker to complete a fraudulent transaction in real time.”
So, what should you look out for? According to IBM, the biggest attack vector so far is “poisoned Word documents with macros that activate the malware deployment on victims’ machines.” In addition, company email address with personal messages were also used.
In order to best protect oneself, IBM recommends that users always keep their OS and frequently used applications up to date, while deleting apps that they don’t use any more. Disable online ads and especially cautious of susceptible sites like “adult content, torrents and free gaming, to name a few.”
IBM also noted that most banking malware, like Panda, is delivered as an attachment. So, if you receive an email you weren’t expecting with an attachment, don’t click on it!
IBM noted two sample MD5 hashes for Zeus Panda:
The 3 big takeaways for TechRepublic readers
- IBM X-Force Research found that the Zeus Panda trojan has spread to Brazil, further complicating the problems the country is facing in light of the 2016 Summer Olympics.
- Panda is targeting 10 local Brazilian banks and their users, as well as Bitcoin exchanges and online payment providers.
- Poisoned Word documents are the biggest attack vector, but users should also update their OS and apps, and avoid suspicious email attachments to stay safe.