Easy Solutions recently discovered new campaigns employing two notorious banking Trojans. The campaigns were targeting a major financial institution, where they were deployed as part of an attack campaign to capture customer login credentials and second-factor authentication (2FA). There is evidence that these attacks are spreading across the world – from the US, to Latin America, to Europe, and to Asia.
The Zeus Panda malware injection that we found targeting one of our client banks was particularly potent due to its ability to capture 2FA in one of two ways, depending on whether it was a corporate or personal bank customer attempting to log in.
In the case of corporate customers whose computers were infected by Zeus Panda, the injected script would add an extra form field for the 2FA one-time password (OTP). The user would obtain their OTP, and if they entered it into the malicious field, it would be captured by the attackers—along with their login credentials. On the other hand, personal banking customers attempting to log in to their bank accounts from infected computers were directed by the malware to a bogus page where they were asked to download a mobile application (the Marcher Trojan). If the user did so, it would enable the cybercriminals to intercept the SMS-delivered authentication OTP sent to the Marcher Trojan posing as the bank’s legitimate mobile app.
According to our research, the attack campaign employed phishing and social engineering techniques to infect as many of the bank’s customers as possible, both corporate and personal. Those who fell for the ruse had no idea their PCs had been quietly infected. Zeus Panda silently lies in wait on an infected machine until the customer attempts to log in to the target bank’s login page and, when they do, it injects its malicious script, compromising what the user sees on what would otherwise be a legitimate webpage.
The malware works by capturing all the personal information it needs to take total control of the victim’s online bank account. The trap set by the Zeus Panda Trojan was hard to spot, as all the form fields it displayed to the user appeared exactly as the bank’s normal login page (save for the field requesting the OTP). When the victim entered their login details, instead of that information being sent to the bank’s systems, the data is actually captured by the malware and sent to the cybercriminals’ command and control server.
From Zeus Panda to Marcher
How the malware behaves from there depends on what kind of bank customer the compromised user is.
The 2FA process for corporate customers is more secure than that offered to personal customers, and the Trojan cannot gain access to it. To get around this, the malware simply asked for it, and the corporate user—likely thinking nothing was amiss—entered the out-of-channel OTP they received in the malicious form field. When they did so, they were directed to a screen that stated: “Sorry, this page is currently unavailable.” This was a smokescreen designed to confuse the user, but not so much that they got suspicious and called the bank.
For personal customers who had been tricked into divulging their login credentials, a separate screen was displayed that directed them to download what appeared to be the “latest mobile security app” from the bank. The user, believing that their bank must have deployed a new security measure to keep them safe (without telling them), would likely follow through with the process.
They were directed to download the malicious application posing as new security app—not from an official app store, but from a link provided by the cybercriminal—and once they did so, the personal customer’s mobile device would be infected with the Marcher mobile banking Trojan.
With the Marcher Trojan in play, the cybercriminal was now ready to capture the 2FA provided by the bank, but unbeknownst to the customer, the security measure had been circumvented. The hacker now had all he needed to visit the bank’s login page, enter the stolen personal customer credentials, and when the bank automatically sent that user an SMS-delivered OTP, the Marcher Trojan virus could redirect it from the victim’s phone to the criminals’ systems. They could then steal the customer’s account funds at will.
How Easy Solutions Detected and Mitigated the Threats
Our Detect Safe Browsing (DSB) Clientless solution detected the presence of the malware injection on the transactional page when a customer whose device had been infected with the malware visited it. DSB then provided actionable evidence in the form of a screengrab, enabling the institution to take immediate action.
Meanwhile, the Easy Solutions’ Security Operations Center was made aware of the two Trojans’ presence and added them to our knowledge base to ensure that that type of attack couldn’t be deployed again without being immediately detected.
Our other mobile safe-browsing solution, DSB Mobile, protects all communications between the bank’s platform and the customer’s mobile phone, even SMS text messages, meaning that malicious apps like Marcher can’t capture user information or 2FA. Further, in cases of malicious apps that deploy other credential-stealing techniques (such as an overlay attack, keyloggers, or pharming), DSB Mobile safeguards against those as well.
Finally, bank customers who download and install DSB Client on their PCs are automatically protected thanks to the incorporation of the details of the attack from our knowledge base. DSB Client can effectively neutralize the effect of Zeus Panda and all other banking Trojans by cutting off the malware’s ability to communicate with the attackers’ command-and-control structure.
Easy Solutions has been tracking the evolution of the Zeus Panda Trojan, giving us the ability to detect when cybercriminals attempt to develop or repackage the malware or its command-and-control servers—and when we do, we react accordingly. Doing so effectively neutralizes any future attacks–so much so that it is no longer profitable for the hacker group to attempt to relaunch the attack.
A frustrated fraudster is a fraudster who gives up and moves on to a more vulnerable target.
To learn more about Detect Safe Browsing solutions, click here.