Easy Solutions Helps Bank Stop Banking Trojans in Their Tracks

Share Button

Easy Solutions recently discovered new campaigns employing two notorious banking Trojans. The campaigns were targeting a major financial institution, where they were deployed as part of an attack campaign to capture customer login credentials and second-factor authentication (2FA). There is evidence that these attacks are spreading across the world – from the US, to Latin America, to Europe, and to Asia.

The banking Trojans are known as Zeus Panda and Marcher. The former works by injecting a malicious JavaScript into the targeted bank’s login page. The injection is made from an infected customer’s laptop or desktop when they visit the login page, and enables the malware to harvest credentials, credit card details and other sensitive personal information – whatever the cybercriminal group is looking to steal.

The Zeus Panda malware injection that we found targeting one of our client banks was particularly potent due to its ability to capture 2FA in one of two ways, depending on whether it was a corporate or personal bank customer attempting to log in.

In the case of corporate customers whose computers were infected by Zeus Panda, the injected script would add an extra form field for the 2FA one-time password (OTP). The user would obtain their OTP, and if they entered it into the malicious field, it would be captured by the attackers—along with their login credentials. On the other hand, personal banking customers attempting to log in to their bank accounts from infected computers were directed by the malware to a bogus page where they were asked to download a mobile application (the Marcher Trojan). If the user did so, it would enable the cybercriminals to intercept the SMS-delivered authentication OTP sent to the Marcher Trojan posing as the bank’s legitimate mobile app.

According to our research, the attack campaign employed phishing and social engineering techniques to infect as many of the bank’s customers as possible, both corporate and personal. Those who fell for the ruse had no idea their PCs had been quietly infected. Zeus Panda silently lies in wait on an infected machine until the customer attempts to log in to the target bank’s login page and, when they do, it injects its malicious script, compromising what the user sees on what would otherwise be a legitimate webpage.

Banking Trojan
The malicious JavaScript, in purple, that was injected into the bank’s login page when an infected user attempted to log in.

The malware works by capturing all the personal information it needs to take total control of the victim’s online bank account. The trap set by the Zeus Panda Trojan was hard to spot, as all the form fields it displayed to the user appeared exactly as the bank’s normal login page (save for the field requesting the OTP). When the victim entered their login details, instead of that information being sent to the bank’s systems, the data is actually captured by the malware and sent to the cybercriminals’ command and control server.

From Zeus Panda to Marcher

How the malware behaves from there depends on what kind of bank customer the compromised user is.

The 2FA process for corporate customers is more secure than that offered to personal customers, and the Trojan cannot gain access to it. To get around this, the malware simply asked for it, and the corporate user—likely thinking nothing was amiss—entered the out-of-channel OTP they received in the malicious form field. When they did so, they were directed to a screen that stated: “Sorry, this page is currently unavailable.” This was a smokescreen designed to confuse the user, but not so much that they got suspicious and called the bank.

Banking Trojan
The page displayed after the Zeus Panda Trojan successfully harvested a corporate customer’s login credentials and OTP.

For personal customers who had been tricked into divulging their login credentials, a separate screen was displayed that directed them to download what appeared to be the “latest mobile security app” from the bank. The user, believing that their bank must have deployed a new security measure to keep them safe (without telling them), would likely follow through with the process.

They were directed to download the malicious application posing as new security app—not from an official app store, but from a link provided by the cybercriminal—and once they did so, the personal customer’s mobile device would be infected with the Marcher mobile banking Trojan.

With the Marcher Trojan in play, the cybercriminal was now ready to capture the 2FA provided by the bank, but unbeknownst to the customer, the security measure had been circumvented. The hacker now had all he needed to visit the bank’s login page, enter the stolen personal customer credentials, and when the bank automatically sent that user an SMS-delivered OTP, the Marcher Trojan virus could redirect it from the victim’s phone to the criminals’ systems. They could then steal the customer’s account funds at will.

Banking Trojan
Zeus Panda Trojan directing a personal banking customer to download “the latest security app” that is, in reality, the Marcher mobile banking Trojan.

How Easy Solutions Detected and Mitigated the Threats

Our Detect Safe Browsing (DSB) Clientless solution detected the presence of the malware injection on the transactional page when a customer whose device had been infected with the malware visited it. DSB then provided actionable evidence in the form of a screengrab, enabling the institution to take immediate action.

Meanwhile, the Easy Solutions’ Security Operations Center was made aware of the two Trojans’ presence and added them to our knowledge base to ensure that that type of attack couldn’t be deployed again without being immediately detected.

Our other mobile safe-browsing solution, DSB Mobile, protects all communications between the bank’s platform and the customer’s mobile phone, even SMS text messages, meaning that malicious apps like Marcher can’t capture user information or 2FA. Further, in cases of malicious apps that deploy other credential-stealing techniques (such as an overlay attack, keyloggers, or pharming), DSB Mobile safeguards against those as well.

Finally, bank customers who download and install DSB Client on their PCs are automatically protected thanks to the incorporation of the details of the attack from our knowledge base. DSB Client can effectively neutralize the effect of Zeus Panda and all other banking Trojans by cutting off the malware’s ability to communicate with the attackers’ command-and-control structure.

Easy Solutions has been tracking the evolution of the Zeus Panda Trojan, giving us the ability to detect when cybercriminals attempt to develop or repackage the malware or its command-and-control servers—and when we do, we react accordingly. Doing so effectively neutralizes any future attacks–so much so that it is no longer profitable for the hacker group to attempt to relaunch the attack.
A frustrated fraudster is a fraudster who gives up and moves on to a more vulnerable target.

To learn more about Detect Safe Browsing solutions, click here.

Related Posts

Fraud in the Time of Coronavirus As the world grapples with the Coronavirus pandemic, self-isolation and stay-at-home-orders have increasingly become the norm.
Coronavirus and Cyberattacks: Tips to Keep your Customers Secure Fraud attacks are now on the rise, with malicious actors launching targeted phishing and malware attacks, capitalizing on the Coronavirus pandemic. Having a strong cybersecurity strategy in place has never been more critical.  

Leave a Reply

Your email address will not be published. Required fields are marked *