# Panda Malware Broadens Targets to Cryptocurrency Exchanges and Social Media **f5.com/labs/articles/threat-intelligence/malware/panda-malware-broadens-targets-to-cryptocurrency-exchanges-and-** social-media byline May 9, 2018 Seven years after it first appeared, the Zeus banking trojan is still active through its latest spin-off: Panda. Panda, first discovered in early 2016 by Fox IT and later analyzed by Proofpoint, 1 spreads through phishing attacks and targets Windows operating systems (OS). Its main attack techniques include web injects, screen shots of user activity (up to 100 per mouse click), logging of keyboard input, Clipboard pastes (to grab passwords and paste them into form fields), and exploits to the Virtual Network Computing (VNC) desktop sharing system. All of these attack methods are supported by ATSEngine,2 [which Ramnit, another](https://f5.com/labs/articles/threat-intelligence/malware/ramnit-goes-on-a-holiday-shopping-spree-targeting-retailers-and-banks) prolific banking trojan, also used in its 2017 holiday campaign. Panda is primarily focused on financial services organizations, but it is expanding its industry targets with each new campaign. Panda was heavily focused on cryptocurrency sites in February. Panda is currently targeting Facebook and Twitter in all three campaigns active in May. There are different C&Cs for each campaign, three of which are connected through a known threat actor network in Russia, the fourth is hosted in China. We analyzed four campaigns that were active between February and May of 2018. The three May campaigns are still active at the time of this writing. Two of the four campaigns are acting from the same botnet version but have different targets and different command and ----- control (C&C) servers. Panda is still primarily focused on targeting global financial services, but following the worldwide cryptocurrency hype, it has expanded its targets to online cryptocurrency exchanges and brokerage services. Social media, search, email, and adult sites are also being targeted by Panda. Figure 1: Panda campaign targets by industry _Figure 1: Panda campaign targets by industry_ The campaigns that targeted Italian, US, and Canadian financial organizations were the same ones that targeted cryptocurrency sites. The campaign that focused on Japanese financial organizations had the broadest set of industry targets. Across all campaigns in May, the same social media, search, email, ecommerce, and tech providers were targeted. ----- Figure 2: Panda industry targets by campaign _Figure 2: Panda industry targets by campaign_ Adult sites were also targeted by Panda in May. We have been seeing an expansion of banking trojan targets into other industries that collect payment information and other forms of personally identifiable information (PII), so this behavior is not surprising given the size of the adult industry and potential revenue generation for fraudsters. ## February Campaign - Botnet “Onore2” Targets Italian Financial Services and Cryptocurrency Sites Equally The Panda configuration we analyzed from February was marked as botnet “onore2.” This campaign leverage the same attack techniques as previously described, and it is able to keylog popular web browsers and VNC in order to hijack user interaction session and steal personal information. ----- Figure 3: Italian campaign, botnet Onore2 dynamic configuration _Figure 3: Italian campaign, botnet Onore2 dynamic configuration_ The Onore2 campaign targeted two industries: financial services and cryptocurrency sites. The majority of the targets were financial services sites in Italy at 51%, followed closely by cryptocurrency targets used worldwide at 49%. ----- Figure 4: The February Panda Onore2 campaign targeted Italian financial services and cryptocurrency sites _Figure 4: The February Panda Onore2 campaign targeted Italian financial services and_ _cryptocurrency sites_ The cryptocurrency sites Panda focused on in February were primarily targeted through screenshots versus the typical web inject. We assume this was to document and spy on user interaction at cryptocurrency accounts, side by side to the web injection list. The list of cryptocurrency sites targeted includes but is not limited to: Anycoindirect.eu Btcc.com Bitstamp.net Bethumb.com Bitpanda Bitbey.net Bity.com Blockchain.info Cex.io Coinbase.com Coinsbank.com Cryptocompare.com ----- Exmo.com Gatecoin.com Gdax.com Hitbtc.com Holytransaction.com Kraken.com Litebit.eu Livecoin.net Localbitcoins.com Minergate.com Okcoin.com Slushpool.com The financial services sites included in the Onore2 campaign were targeted through webinjects and socks. They included but were not limited to: Allianzbank.it Bcc.it Bnl.it Bancacrfirenze.it Bancagenerali.it Bankingforyou.it Carifvg.it Caript.it Cedacri.it Credem.it Csebo.it Icb.mps.it Inbank.it Poste.it Relaxbanking.it Tecmarket.it **Command and Control (C&C) Servers** The C&C server for this campaign is: hxxps://0a109ec2ab47[.]com/. Note the use of HTTPS for the malware phoning home through encryption to hide its exploits from traditional intrusion inspection controls. ----- Figure 5: Italian campaign C&C Whois _Figure 5: Italian campaign C&C Whois_ The domain is registered through Namesilo.com to a registrant with a fake address in the US, and an email contact at minex-coin.com. Minex-coin is also registered with Namesilo.com, but the Whois is privacy protected. The name servers are in Russia: samara.ens.mail.ru under a provider (ASN 47764) that comes up often in F5 Labs’ threat research. ## May Campaign - Botnet “2.6.8” Targets US Financials The latest sample analyzed from May 1, 2018 was marked as botnet “2.6.8”. Comparing this botnet configuration to the Onore2 campaign and the other 2.6.8 campaign targeting Japanese financials (see next section), it has a different C&C address, and a “keylog_process.” Instead of adding the Internet browsers, “putty.exe” was added. ----- Figure 6: US campaign “2.6.8” dynamic configuration _Figure 6: US campaign “2.6.8” dynamic configuration_ This is not the first time Panda has targeted US-based financial organizations. This campaign had targets in 8 industries, 76% of which were US financial organizations. This campaign also targeted half a dozen Canadian financial organizations, followed by cryptocurrency sites, global social media providers, search and email providers, payroll, entertainment, and tech providers. ----- Figure 7: May Panda campaign “2.6.8” targets US and Canadian financial services, social media, search and email providers, cryptocurrency sites, and payroll sites _Figure 7: May Panda campaign “2.6.8” targets US and Canadian financial services, social_ _media, search and email providers, cryptocurrency sites, and payroll sites_ Panda is hitting the typical large financial targets in the US, such as: Adp.com Bankofamerica.com Citi.com Paychex.com Wellsfargo.com The Canadian financial organizations targeted are: bmo.com desjardins.com royalbank.com scotiabank.com The cryptocurrency sites targeted are: Blockchain.info bbt.com ----- This campaign is also targeting major social media platforms like Facebook and Instagram, as well as messaging apps like Skype, and entertainment platforms like Youtube. Additionally, Panda is targeting Microsoft.com, bing.com, and msn.com. **C&C Server** The C&C server for this campaign is: hxxps://adshiepkhach[.]top/. Note the use of HTTPS again to hide from traditional intrusion inspection controls. The registrant is in Russia. The domain for the email contact is bk.ru, which is owned by the same ASN 47764 that continually comes up in our threat research. Figure 8: US Campaign C&C Whois ----- _Figure 8: US Campaign C&C Whois_ ## May Campaign - Botnet “2.6.8” Also Targets Japanese Financials This sample was also analyzed from May 1, 2018 and was also marked as botnet “2.6.8”. Comparing the two botnet configurations, there is an interesting change: when Zeus.Panda is targeting Japan, the authors removed the Content Security Policy (CSP) headers: remove_csp - 1 : The CSP header is a security standard for preventing cross-site scripting (XSS), clickjacking and other code injection attacks that could execute malicious code from an otherwise trusted site.3 Figure 09: Japan campaign ”2.6.8” dynamic configuration _Figure 9: Japan campaign ”2.6.8” dynamic configuration_ In parallel with the US targeted campaign, this Panda campaign is targeting the following Japanese financial services organizations, most of which are credit card providers: saisoncard.co.jp idemitsucard.com mufg jp ----- aeon.co.jp lifecard.co.jp pocketcard.co.jp cedyna.co.jp eposcard.co.jp orico.co.jp rakuten*.co.jp smbc-card.com This campaign also targets the ecommerce giant Amazon; entertainment platform Youtube; Microsoft.com, Live.com, Yahoo.com, Google.com, likely targeting email accounts; the social media leaders Facebook and Twitter; as well as a Japanese adult site Dmm.co, and Pornhub. Figure 10: May Panda “2.6.8” campaign targets Japanese financial services, search and email providers, social media, and adult sites _Figure 10: May Panda “2.6.8” campaign targets Japanese financial services, search and_ _email providers, social media, and adult sites_ **C&C Server** The C&C server for this campaign is: hxxps://antrefurniture[.]top/. Again, note the use of HTTPS to hide activity from traditional intrusion inspection controls. It’s also a .top top-level domain (TLD) like the US campaign. Spamhaus.org says 40% of .top TLDs are used for abusive purposes.[4] ----- The registrant is also in Russia, and the domain for the email contact is bk.ru like the US campaign, which again is owned by ASN 47764 that continually comes up in F5 Labs’ threat research. Figure 11: Japan campaign C&C Whois _Figure 11: Japan campaign C&C Whois_ ## May Campaign - Botnet “Cosmos3” Targets Latin America Financial Services The third parallel attack campaign, marked as botnet “cosmos3,” is currently active and targeting financial institutions in Latin America. ----- Figure 12: LATAM campaign “Cosmos3” dynamic configuration _Figure 12: LATAM campaign “Cosmos3” dynamic configuration_ This campaign primarily focused on banks in Argentina, Columbia, and Ecuador, followed by the same social media (Facebook, Twitter, Instagram, Flickr), search, email (MSN, Bing), entertainment (YouTube) and tech provider (Microsoft) targets as the other campaigns. ----- Figure 13: May Panda "Cosmos3" campaign targets LATAM financial services, social media, search, email, and tech providers _Figure 13: May Panda "Cosmos3" campaign targets LATAM financial services, social media,_ _search, email, and tech providers_ The Latin American targets in this campaign are: avvillas.com.co bbvanet.com.co bancodebogota.com bancocredicoop.coop bancopatagonia.com.ar banco.colpatria.com.co davivienda.com pichincha.com santanderrio.com.ar transaccionesbancolombia.com **C&C Server** The C&C server for this campaign is: hxxps:// cotrus[.]co/. Note the use of HTTPS again to hide from traditional intrusion inspection controls. ----- The domain is registered in China. The email registrant domain GMZ.com resolves to the German service provider 1&1. Figure 14: LATAM campaign C&C Whois _Figure 14: LATAM campaign C&C Whois_ ## QA in Production Tests ----- Continual maintenance is required to keep the fraud operations going and making money. Like any business, this involves testing, and sometimes testing in production like we saw in this campaign where the threat actors were infecting computers with different versions of the configuration. This testing in production was against campaign 2.6.1 and had minor changes from the Onore2 campaign: “onore2” botnet was configured to grab cookies and cache “2.6.1” was marked to delete cookies and cache Grabber pause was marked 2, which is the indication on how long panda grabber will wait before starting the actual module. Grabber flags: Grab_del_cookie - 0 Grab_del_cache - 0 Figure 15: QA Test “2.6.1” dynamic configuration _Figure 15: QA Test “2.6.1” dynamic configuration_ ----- To make sure the injection was working correctly, the Panda authors tested against an Australian domain. Once the URL was detected, it sent an injection JS alert “Page Injected!” Figure 16: QA Injection alert, “Page Injected!” _Figure 16: QA Injection alert, “Page Injected!”_ ## Conclusion Panda’s expansion beyond traditional banking targets is following the trend we noticed during the 2017 holiday season.5 This is the first campaign we have seen targeting cryptocurrency sites, but it’s a move that makes sense, given the popularity of cryptocurrency. This act of simultaneous campaigns targeting several regions around the world and industries indicates these are highly active threat actors, and we expect their efforts to continue with multiple new campaigns coming out as their current efforts are discovered and taken down. We will continue to look for patterns by monitoring this activity and the networks and services from which they are choosing to launch their activities. In the meantime, we highly recommend all businesses maintain up-to-date patches on endpoints and ensure AV controls are continuously updated so their systems don’t get infected with this malware. To protect your business from infected consumers that cause costly fraud investigations, monetary returns, and so on, we recommend instituting advanced web fraud protections because this customized security control is not just for banks anymore! ## Indicators of Compromise MD5 Italy and cryptocurrencies targets — e9d881b40d94a541b11fad44f1efbb7c USA — 35a7e666942eb0c70e73d5dc502a97d2 Japan — 3b78b983ed00cfa580c0b1c9beda4ca2 Latin America — 8822dc8e66b51344b623c6cd29a91db1 QA in production — 5d4c4668567b0b3321b0125779bdb3ae C&C servers Italy: hxxps://0a109ec2ab47[.]com US: hxxps://adshiepkhach[.]top Japan: hxxps://antrefurniture[.]top ----- Latin America: hxxps://cotrus[.]co -----