Select Page

Developers of Zeus Panda trojan managed to launch attack from Google search results

Zeus Panda virus follows the footsteps of Zeus Trojan’s activities since 2016. The start of the malicious campaign was simple. Malware spread via malicious emails and exploited security vulnerabilities. However, on November researchers reported that hackers stroke harder and poisoned particular Google search results.

Cisco Talos research team reported that malicious campaign was held in three main stages:

  • Compromisation of hundreds of legit business websites to rank at the top of Google results page.
  • Poisoning specific financial-related search keywords to reach a targeted audience.
  • Installation of macro-enabled Word document.

When users entered poisoned keywords to Google and clicked on an affected result, they were redirected to a compromised website. Criminals used specific redirection system to reroute targets to a site that downloads a malicious Word document.

Crooks used a popular social engineering technique to trick victims to enable macro commands in the downloaded Word document. Users, who did not suspect anything bad and agreed to do it, installed Panda banking trojan that is designed to steal financial, banking and other sensitive information.

Zeus Panda trojan changes targeted audience

Earlier the banking trojan was targeting Australia and UK banks mostly. Angler, Nuclear, and Neutrino exploit kits were distributing malicious spam emails that included malicious Word document. One of the campaigns included only downloaded malware payload.

Another malspam campaign spread a Word document that downloaded a malicious EXE file to exploit system vulnerabilities to install a trojan. Researcher report that this campaign was mostly used for attacking media and manufacturing companies.

However, the recent SEO attack seems to be targeted at Nordea Sweden, the State Bank of India, India’s Bank of Barodia and Axis Bank, the Commonwealth Bank of Australia, and Saudi Arabia’s Al Rajhi Bank. But malware did not attack these banks’ customers if their default computer’s language was Russian, Ukrainian, Belarusian or Kazakh.

The operation peculiarities after successful attack

As soon as banking trojan infiltrates the system, it connects networks and devices into a botnet. The malicious program also creates a new registry key to run on the computer automatically with the system boot. Following that, malware inserts malicious code into web browsers to steal financial data.

The malicious program mostly targets Google Chrome, Mozilla Firefox, Internet Explorer, and Microsoft Edge. Zeus Panda injects malicious HTML code into network traffic or a browser. These modifications allow editing content on the visited website and steal login details or money.

When users log in to the bank or social media account, Zeus Trojan steals credentials and sends them to a remote Command and Control servers. Further actions of the cyber criminals might vary. However, most of the time they want to empty victim’s banking account.