{
	"id": "644573ff-2aba-4d0f-9785-2505c702c375",
	"created_at": "2026-04-06T00:10:27.05119Z",
	"updated_at": "2026-04-10T13:11:48.53721Z",
	"deleted_at": null,
	"sha1_hash": "8a15439076e0939acf7dc567aa1f70f819a5f40a",
	"title": "Poisoning the Well: Banking Trojan Targets Google Search Results",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 4183864,
	"plain_text": "Poisoning the Well: Banking Trojan Targets Google Search Results\r\nBy Edmund Brumaghin\r\nPublished: 2017-11-02 · Archived: 2026-04-05 13:27:18 UTC\r\nSummary\r\nIt has become common for users to use Google to find information that they do not know. In a quick Google\r\nsearch you can find practically anything you need to know. Links returned by a Google search, however, are not\r\nguaranteed to be safe. In this situation, the threat actors decided to take advantage of this behavior by using Search\r\nEngine Optimization (SEO) to make their malicious links more prevalent in the search results, enabling them to\r\ntarget users with the Zeus Panda banking Trojan. By poisoning the search results for specific banking related\r\nkeywords, the attackers were able to effectively target specific users in a novel fashion.\r\nBy targeting primarily financial-related keyword searches and ensuring that their malicious results are displayed,\r\nthe attacker can attempt to maximize the conversion rate of their infections as they can be confident that infected\r\nusers will be regularly using various financial platforms and thus will enable the attacker to quickly obtain\r\ncredentials, banking and credit card information, etc. The overall configuration and operation of the infrastructure\r\nused to distribute this malware was interesting as it did not rely on distribution methods that Talos regularly sees\r\nbeing used for the distribution of malware. This is another example of how attackers regularly refine and change\r\ntheir techniques and illustrates why ongoing consumption of threat intelligence is essential for ensuring that\r\norganizations remain protected against new threats over time.\r\nInitial Attack Vector\r\nThe initial vector used to initiate this infection process does not appear to be email based. In this particular\r\ncampaign, the attacker(s) targeted specific sets of search keywords that are likely to be queried by potential targets\r\nusing search engines such as Google. By leveraging compromised web servers, the attacker was able to ensure\r\nthat their malicious results would be ranked highly within search engines, thus increasing the likelihood that they\r\nwould be clicked on by potential victims.\r\nIn one example, the attacker appeared to target the keyword search containing the following search query:\r\nIn most instances, the attacker was able to get their poisoned results displayed several times on Page 1 of the\r\nSearch Engine Results Page (SERP) for the keyword search being targeted, in this case \"al rajhi bank working\r\nhours in ramadan\". A sample of the malicious results returned by Google is included in the image below.\r\nhttp://blog.talosintelligence.com/2017/11/zeus-panda-campaign.html\r\nPage 1 of 18\n\nBy leveraging compromised business websites that have received ratings and reviews, the attacker could make the\r\nresults seem more legitimate to victims, as can be seen by the star/rating displayed alongside the results in the\r\nSERP.\r\nThe attacker targeted numerous keyword groups, with most being tailored towards banking or financial-related\r\ninformation that potential victims might search for. Additionally, certain geographic regions appear to be directly\r\ntargetedy, with many of the keyword groups being specific to financial institutions in India as well as the Middle\r\nEast. Some examples of keyword searches being targeted by this campaign were:\r\n\"nordea sweden bank account number\"\r\n\"al rajhi bank working hours during ramadan\"\r\n\"how many digits in karur vysya bank account number\"\r\n\"free online books for bank clerk exam\"\r\n\"how to cancel a cheque commonwealth bank\"\r\n\"salary slip format in excel with formula free download\"\r\n\"bank of baroda account balance check\"\r\n\"bank guarantee format mt760\"\r\n\"free online books for bank clerk exam\"\r\n\"sbi bank recurring deposit form\"\r\n\"axis bank mobile banking download link\"\r\nAdditionally, in all of the cases Talos analyzed, the titles of the pages that functioned as the entry point into this\r\nmalware distribution system had various phrases appended to them. Using the \"intitle:\" search parameter, we were\r\nable to positively identify hundreds of malicious pages being used to perform the initial redirection that led\r\nvictims to the malicious payload. Some examples of these phrases are included below:\r\n\"found download to on a forum\"\r\n\"found global warez on a forum\"\r\n\"can you download free on the site\"\r\n\"found download on on site\"\r\n\"can download on a forum\"\r\n\"found global downloads on forum\"\r\n\"info site download to on forum\"\r\n\"your query download on site\"\r\n\"found download free on a forum\"\r\n\"can all downloads on site\"\r\n\"you can open downloads on\"\r\nhttp://blog.talosintelligence.com/2017/11/zeus-panda-campaign.html\r\nPage 2 of 18\n\nIn cases where victims attempt to browse to the pages hosted on these compromised servers, they would initiate a\r\nmulti-stage malware infection process, as detailed in the following section.\r\nIronically we have observed the same redirection system and associated infrastructure used to direct victims to\r\ntech support and fake AV scams that display images informing victims that their systems are infected with Zeus\r\nand instructing them to contact the listed telephone number.\r\nInfection Process\r\nWhen the malicious web pages are accessed by victims, the compromised sites use Javascript to redirect clients to\r\nJavascript hosted on an intermediary site.\r\nThis results in the client retrieving and executing Javascript located at the address specified by the\r\ndocument.write() method. The subsequent page includes similar functionality, this time resulting in an HTTP GET\r\nrequest to another page.\r\nhttp://blog.talosintelligence.com/2017/11/zeus-panda-campaign.html\r\nPage 3 of 18\n\nThe intermediary server will then respond with a HTTP 302 which redirects clients to another compromised site\r\nwhich is actually being used to host a malicious Word document. As a result, the client will follow this redirection\r\nand download the malicious document. This is a technique commonly referred to as \"302 cushioning\" and is\r\ncommonly employed by exploit kits.\r\nFollowing the redirect results in the download of a malicious Microsoft Word document.\r\nFollowing the download of the malicious Word document, the victim is prompted by their browser to Open or\r\nSave the file. When opened, the document displays the following message, prompting the victim to \"Enable\r\nhttp://blog.talosintelligence.com/2017/11/zeus-panda-campaign.html\r\nPage 4 of 18\n\nEditing\" and click \"Enable Content\".\r\nFollowing these instructions will result in the execution of malicious macros that have been embedded in the Word\r\ndocument. It is these macros that are responsible for downloading and executing a PE32 executable, thus infecting\r\nthe system. The macro code itself is obfuscated, and quite basic. It simply downloads the malicious executable,\r\nsaves it into the %TEMP% directory on the system using the filename such as \"obodok.exe\".\r\nIn this case, the malicious executable was being hosted at the following URL:\r\nhXXp://settleware[.]com/blog/wp-content/themes/inove/templates/html/krang.wwt\r\nThe macros use the following Powershell command to initiate this process:\r\nA review of DNS related information associated with the domain hosting the malicious executable shows that\r\nthere were two significant spikes in the amount of DNS requests attempting to resolve the domain, occurring\r\nbetween 06/07/2017 and 06/08/2017.\r\nhttp://blog.talosintelligence.com/2017/11/zeus-panda-campaign.html\r\nPage 5 of 18\n\nSettleware Secure Services, Inc. is a document e-Signing service that allows documents to be signed\r\nelectronically. It is used across a number of different processes, including Real Estate escrow e-Signing, and also\r\noffers eNotary services.\r\nMalware Operations\r\nThe malicious payload associated with the campaign appears to be a new version of Zeus Panda, a banking trojan\r\ndesigned to stealing banking and other sensitive credentials for exfiltration by attackers. The payload that Talos\r\nanalyzed was a multi-stage payload, with the initial stage featuring several anti-analysis techniques designed to\r\nmake analysis more difficult and prolonged execution to avoid detection. It also featured several evasion\r\ntechniques designed to ensure that the malware would not execute properly in automated analysis environments,\r\nor sandboxes. The overall operation of the Zeus Panda banking trojan has been well documented, however Talos\r\nwanted to provide additional information about the first stage packer used by the malware.\r\nThe malware will first query the system's keyboard mapping to determine the language used on the system. It will\r\nterminate execution if it detects the any of the following keyboard mappings:\r\nLANG_RUSSIAN\r\nLANG_BELARUSIAN\r\nLANG_KAZAK\r\nLANG_UKRAINIAN\r\nThe malware also performs checks to determine whether it is running within the following hypervisor or sandbox\r\nenvironments:\r\nVMware\r\nVirtualPC\r\nVirtualBox\r\nParallels\r\nSandboxie\r\nWine\r\nSoftIce\r\nIt also checks for the existence of various tools and utilities that malware analysts often run when analyzing\r\nmalicious software. A full list of the different environment checks performed by the malware is below:\r\nhttp://blog.talosintelligence.com/2017/11/zeus-panda-campaign.html\r\nPage 6 of 18\n\nIf any of the environmental checks are met, the malware then removes itself by first writing a batch file to the\r\n%TEMP% directory and executing it using the Windows Command Processor. The malware uses RDTSC to\r\ncalculate the time-based filename used to store the batch file. This batch file is responsible for deleting the original\r\nsample executable. Once the original executable has been deleted, the batch file itself is also removed from\r\n%TEMP%.\r\nIn an attempt to hinder analysis, the initial stage of the malicious payload features hundreds of valid API calls that\r\nare invoked with invalid parameters. It also leverages Structured Exception Handling (SEH) to patch its own code.\r\nIt queries and stores the current cursor position several times to detect activity and identify if it is being executed\r\nin a sandbox or automated analysis environment. An example of the use of valid API calls with invalid parameters\r\nis below, where the call to obtain the cursor location is valid, while the call to ScreentoClient contains invalid\r\nparameters.\r\nhttp://blog.talosintelligence.com/2017/11/zeus-panda-campaign.html\r\nPage 7 of 18\n\nBelow is an example of a bogus call designed to lure an analyst and increase the time and effort required to\r\nanalyze the malware. Often we see invalid opcodes used to lure the disassembler, but in this case, the result is that\r\nit is in front of hundred of structures too, making it more difficult to recognize good variables.\r\nThe below screenshot shows a list of auto populated and useless structures by IDA. These measures are all\r\ndesigned to impede the analysis process and make it more expensive to identify what the malware is actually\r\ndesigned to do from a code execution flow perspective.\r\nhttp://blog.talosintelligence.com/2017/11/zeus-panda-campaign.html\r\nPage 8 of 18\n\nPeriodically, we can find a valid and useful instruction. Below the EAX register is stored in a variable to be reused\r\nlater in order to allocate a heap memory chunk to initiate its own unpacked code.\r\nThe malware also uses others techniques to make analysis significantly more difficult, like creating hundreds of\r\ncase comparisons, which makes tracing code much harder.\r\nBelow an example of several if conditional statements in pseudo code demonstrating this process and how it can\r\nresult in impeding the ability to efficiently trace the code.\r\nhttp://blog.talosintelligence.com/2017/11/zeus-panda-campaign.html\r\nPage 9 of 18\n\nIn order to decrypt the malware code it's installs an exception handler, which is responsible for decrypting some\r\nmemory bytes to continue it's execution.\r\nBelow you can see the SEH has just been initialized:\r\nIn the same routine, it performs the decryption routine for the following code. We also observed that the high\r\nnumber of exception calls were causing some sandboxes to crash as a way to prevent automated analysis.\r\nhttp://blog.talosintelligence.com/2017/11/zeus-panda-campaign.html\r\nPage 10 of 18\n\nOnce the data is decrypted and stored into the buffer that was previously allocated, it continues execution back in\r\nwinmain using a known mechanism, the callback routine feature of EnumDisplayMonitor, by setting up the value\r\nof the callback routine towards the patched memory.\r\nDuring this execution, the malware will then continue to patch itself and continue execution.\r\nThe strings are encrypted using an XOR value, however each string uses a separate XOR value preventing an easy\r\ndetection mechanism. Below is some IDA Python code which can be used to decrypt strings.\r\ndef decrypt(data, length, key):\r\n c = 0\r\n o = ''\r\n while c \u003c length:\r\n o += chr((c ^ ord(data[c]) ^ ~key) \u0026 0xff)\r\n c +=1\r\n return o\r\ndef get_data(index):\r\n base_encrypt = 0x1251A560\r\n key = Word(base_encrypt+8*index)\r\n length=Word(base_encrypt+2+8*index)\r\n data=GetManyBytes(Dword(base_encrypt+4+8*index), length)\r\n return key, length, data\r\nhttp://blog.talosintelligence.com/2017/11/zeus-panda-campaign.html\r\nPage 11 of 18\n\ndef find_entry_index(addr):\r\n addr = idc.PrevHead(addr)\r\n if GetMnem(addr) == \"mov\" and \"ecx\" in GetOpnd(addr, 0):\r\n return GetOperandValue(addr, 1)\r\n return None\r\nfor addr in XrefsTo(0x1250EBD2, flags=0):\r\n entry = find_entry_index(addr.frm)\r\n try:\r\n key, length, data = get_data(entry)\r\n dec = decrypt(data, length, key)\r\n print \"Ref Addr: 0x%x | Decrypted: %s\" % (addr.frm, dec)\r\n MakeComm(addr.frm, ' decrypt_string return :'+dec)\r\n MakeComm(ref, dec)\r\n except:\r\n pass\r\nThis code should comment IDA strings decrypted and referenced where 0x1250EBD2 corresponds to the\r\ndecryption routine and 0x1251A560 corresponds to the table of strings encrypted\r\nComments are inserted into the disassembly making it much easier to understand the different features within the\r\nmalware.\r\nhttp://blog.talosintelligence.com/2017/11/zeus-panda-campaign.html\r\nPage 12 of 18\n\nFor API calls, there are also well known hash API calls which use the following algorithm. Again this is code\r\nwhich can be used within IDA in order to comment API calls.\r\ndef build_xor_api_name_table():\r\n global table_xor_api\r\n if not table_xor_api:\r\n table_xor_api = []\r\n entries = 0\r\n while entries \u003c 256:\r\n copy_index = entries\r\n bits = 8\r\n while bits:\r\n if copy_index \u0026 1:\r\n copy_index = (copy_index \u003e\u003e 1) ^ 0xEDB88320\r\n else:\r\n copy_index \u003e\u003e= 1\r\n bits -= 1\r\n table_xor_api.append(copy_index)\r\n entries += 1\r\n return table_xor_api\r\ndef compute_hash(inString):\r\n global table_xor_api\r\n if not table_xor_api:\r\n build_xor_api_name_table()\r\nif inString is None:\r\n return 0\r\nhttp://blog.talosintelligence.com/2017/11/zeus-panda-campaign.html\r\nPage 13 of 18\n\necx = 0xFFFFFFFF\r\nfor i in inString:\r\n eax = ord(i)\r\n eax = eax ^ ecx\r\n ecx = ecx \u003e\u003e 8\r\n eax = eax \u0026 0xff\r\n ecx = ecx ^ table_xor_api[eax]\r\necx = ~ecx \u0026 0xFFFFFFFF\r\nreturn ecx\r\nThe malware uses a generic function which takes the following arguments:\r\nthe DWORD which corresponds to the module.\r\nAn index entry corresponding to the table of encrypted string for modules (if not loaded).\r\nThe hash of the API itself.\r\nThe index where to store the api call address.\r\nBelow is example pseudo code showing how the API call is performed just to perform a process lookup into\r\nmemory using the snapshot list.\r\nOnce the malware begins its full execution, it copies an executable to the following folder location:\r\nC:\\Users\\\u003cUsername\u003e\\AppData\\Roaming\\Macromedia\\Flash Player\\macromedia.com\\support\\flashplayer\\sys\\\r\nhttp://blog.talosintelligence.com/2017/11/zeus-panda-campaign.html\r\nPage 14 of 18\n\nIt maintains persistence by creating the following registry entry:\r\nHKEY_USERS\\\u003cSID\u003e\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\\extensions.exe\r\nIt sets the data value for this registry entry to the path/filename that was created by the malware. An example of\r\nthe data value is below:\r\n\"C:\\Users\\\u003cUsername\u003e\\AppData\\Roaming\\Macromedia\\Flash Player\\macromedia.com\\support\\flashplayer\\sys\\extensions\r\nIn this particular case, the file that was dropped into the infected user's profile was named \"extensions.exe\"\r\nhowever Talos has observed several different file names being used when the executable is created.\r\nAdditional information about the operation of the Zeus Panda banking trojan once it has been unpacked has been\r\npublished here.\r\nConclusion\r\nAttackers are constantly trying to find new ways to entice users to run malware that can be used to infect the\r\nvictim's computer with various payloads. Spam, malvertising, and watering hole attacks are commonly used to\r\ntarget users. Talos uncovered an entire framework that is using \"SERP poisoning\" to target unsuspecting users and\r\ndistribute the Zeus Panda banking trojan. In this case, the attackers are taking specific keyword searches and\r\nensuring that their malicious results are displayed high in the results returned by search engines\r\nThe threat landscape is constantly evolving and threat actors are continually looking for new attack vectors to\r\ntarget their victims. Having a sound, layered, defense-in-depth strategy in place will help ensure that organizations\r\ncan respond to the constantly changing threat landscape. Users, however, must also remain vigilant and think\r\ntwice before clicking a link, opening an attachment or even blinding trusting the results of a Google search.\r\nCoverage\r\nAdditional ways our customers can detect and block this threat are listed below.\r\nhttp://blog.talosintelligence.com/2017/11/zeus-panda-campaign.html\r\nPage 15 of 18\n\nAdvanced Malware Protection (AMP) is ideally suited to prevent the execution of the malware used by these\r\nthreat actors.\r\nCWS or WSA web scanning prevents access to malicious websites and detects malware used in these attacks.\r\nNetwork Security appliances such as NGFW, NGIPS, and Meraki MX can detect malicious activity associated\r\nwith this threat.\r\nAMP Threat Grid helps identify malicious binaries and build protection into all Cisco Security products.\r\nUmbrella, our secure internet gateway (SIG), blocks users from connecting to malicious domains, IPs, and URLs,\r\nwhether users are on or off the corporate network.\r\nOpen Source Snort Subscriber Rule Set customers can stay up to date by downloading the latest rule pack\r\navailable for purchase on Snort.org.\r\nIOCs\r\nThe following Indicators of Compromise have been identified as being associated with this malware campaign.\r\nNote that some of the domains performing the initial redirection have been cleaned, however we are including\r\nthem in the IOC list to allow organizations to determine if they have been impacted by this campaign.\r\nDomains Distributing Maldocs:\r\nmikemuder[.]com\r\nIPs Distributing Maldocs:\r\n67.195.61[.]46\r\nDomains:\r\nhttp://blog.talosintelligence.com/2017/11/zeus-panda-campaign.html\r\nPage 16 of 18\n\nacountaxrioja[.]es\r\nalpha[.]gtpo-cms[.]co[.]uk\r\narte-corp[.]jp\r\nbellasweetboutique[.]com\r\nbilling[.]logohelp[.]com\r\nbirsan[.]com[.]tr\r\nbitumast[.]com\r\nbleed101[.]com\r\nblindspotgallery[.]co[.]uk\r\nblog[.]mitrampolin[.]com\r\ncalthacompany[.]com\r\ncannonvalley[.]co[.]za\r\ncoinsdealer[.]pl\r\ncorvettescruisingalveston[.]com\r\ncraigchristian[.]com\r\ndentopia[.]com[.]tr\r\ndgbeauty[.]net\r\ndressfortheday[.]com\r\nevoluzionhealth[.]com\r\ngemasach[.]com\r\njapan-recruit[.]net\r\njaegar[.]jp\r\nmichaelleeclayton[.]com\r\nwww[.]academiaarena[.]com\r\nwww[.]bethyen[.]com\r\nwww[.]bioinbox[.]ro\r\nwww[.]distinctivecarpet.com\r\nwww[.]helgaleitner[.]at\r\nwww[.]gullsmedofstad[.]no\r\nusedtextilemachinerylive[.]com\r\ngaragecodes[.]com\r\nastrodestino[.]com[.]br\r\nIntermediary Redirect Domains:\r\ndverioptomtut[.]ru\r\nWord Doc Filenames:\r\nnordea-sweden-bank-account-number.doc\r\nal-rajhi-bank-working-hours-during-ramadan.doc\r\nhow-many-digits-in-karur-vysya-bank-account-number.doc\r\nfree-online-books-for-bank-clerk-exam.doc\r\nhttp://blog.talosintelligence.com/2017/11/zeus-panda-campaign.html\r\nPage 17 of 18\n\nhow-to-cancel-a-cheque-commonwealth-bank.doc\r\nsalary-slip-format-in-excel-with-formula-free-download.doc\r\nbank-of-baroda-account-balance-check.doc\r\nbank-guarantee-format-mt760.doc\r\nincoming-wire-transfer-td-bank.doc\r\nfree-online-books-for-bank-clerk-exam.doc\r\nsbi-bank-recurring-deposit-form.doc\r\nWord Doc Hashes:\r\n713190f0433ae9180aea272957d80b2b408ef479d2d022f0c561297dafcfaec2 (SHA256)\r\nPE32 Distribution URLs:\r\nsettleware[.]com/blog/wp-content/themes/inove/templates/html/krang.wwt\r\nPE32 Hashes:\r\n59b11483cb6ac4ea298d9caecf54c4168ef637f2f3d8c893941c8bea77c67868 (SHA256)\r\n5f4c8191caea525a6fe2dddce21e24157f8c131f0ec310995098701f24fa6867 (SHA256)\r\n29f1b6b996f13455d77b4657499daee2f70058dc29e18fa4832ad8401865301a (SHA256)\r\n0b4d6e2f00880a9e0235535bdda7220ca638190b06edd6b2b1cba05eb3ac6a92 (SHA256)\r\nC2 Domains:\r\nhppavag0ab9raaz[.]club\r\nhavagab9raaz[.]club\r\nC2 IP Addresses:\r\n82.146.59[.]228\r\nSource: http://blog.talosintelligence.com/2017/11/zeus-panda-campaign.html\r\nhttp://blog.talosintelligence.com/2017/11/zeus-panda-campaign.html\r\nPage 18 of 18",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia",
		"ETDA"
	],
	"origins": [
		"web"
	],
	"references": [
		"http://blog.talosintelligence.com/2017/11/zeus-panda-campaign.html"
	],
	"report_names": [
		"zeus-panda-campaign.html"
	],
	"threat_actors": [
		{
			"id": "aa73cd6a-868c-4ae4-a5b2-7cb2c5ad1e9d",
			"created_at": "2022-10-25T16:07:24.139848Z",
			"updated_at": "2026-04-10T02:00:04.878798Z",
			"deleted_at": null,
			"main_name": "Safe",
			"aliases": [],
			"source_name": "ETDA:Safe",
			"tools": [
				"DebugView",
				"LZ77",
				"OpenDoc",
				"SafeDisk",
				"TypeConfig",
				"UPXShell",
				"UsbDoc",
				"UsbExe"
			],
			"source_id": "ETDA",
			"reports": null
		}
	],
	"ts_created_at": 1775434227,
	"ts_updated_at": 1775826708,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/8a15439076e0939acf7dc567aa1f70f819a5f40a.pdf",
		"text": "https://archive.orkl.eu/8a15439076e0939acf7dc567aa1f70f819a5f40a.txt",
		"img": "https://archive.orkl.eu/8a15439076e0939acf7dc567aa1f70f819a5f40a.jpg"
	}
}