Panda Malware Threatens Cryptocurrency

A series of active campaigns observed by tech company F5 Labs revealed that threat actors have widened the reach of the Panda Banker malware and are now actively targeting websites outside the banking industry, particularly those of online cryptocurrency exchanges and brokerage services.

Earliest encounters of the Panda Banker malware was recorded in 2016 as one of the spin-offs of the Zeus banking trojan. The malware then became a staple banking malware that harvests and uses credentials for online banking and payment.

The Panda Banker malware is also known for its wide range of attack techniques including:

• setting up web injects
• taking up to 100 screenshots of user activity in just one click
• structuring logging of keyboard input
• grabbing passwords and pasting them into form field
• exploiting the Virtual Network Computing (VNC) desktop sharing system

Financial institutions are the main victims of the Panda malware; but due to the global rise to prominence of cryptocurrency, it became a quintessential prospect for online attackers as well. Other industries being targeted are social media (Facebook, Instagram), messaging applications (Skype), entertainment platforms (Youtube), search and email providers and adult film sites.

“This campaign had targets in 8 industries, 76% of which were US financial organizations.” explained F5 researcher Doron Voolf. “This campaign also targeted half a dozen Canadian financial organizations, followed by cryptocurrency sites, global social media providers, search and email providers, payroll, entertainment, and tech providers.”

In February 2018, the malware-infected cryptocurrency sites were targeted through screengrabs which is uncommon as web inject is the most typically used method by online attackers. The researchers subsequently link this as a way of threat actors to document and spy on user interaction at their cryptocurrency accounts. Some of the cryptocurrency sites reported to be infected are:

• Bitpanda
• Coinbase.com
• Coinsbank.com
• Gatecoin.com
• Livecoin.net
• Slushpool.com

“The campaigns that targeted Italian, US, and Canadian financial organizations were the same ones that targeted cryptocurrency sites.” added Voolf. “Across all campaigns in May, the same social media, search, email, ecommerce, and tech providers were targeted.”

Given its current popularity, cryptocurrency sites being a new target for Panda malware attacks is a foreseeable movement for threat actors. As the number of simultaneous active campaigns continues to intensifies, expect threat actors to exert extensive efforts to propagate new comprehensive campaigns targeting several regions around the globe and in diversified industries, particularly now that their current efforts have been consistently discovered and taken down.

“We will continue to look for patterns by monitoring this activity and the networks and services from which they are choosing to launch their activities. In the meantime, we highly recommend all businesses maintain up-to-date patches on endpoints and ensure AV controls are continuously updated so their systems don’t get infected with this malware.” Voolf noted. “To protect your business from infected consumers that cause costly fraud investigations, monetary returns, and so on, we recommend instituting advanced web fraud protections because this customized security control is not just for banks anymore.”