Hackers distributing the Zeus Panda banking trojan have hit upon a new tactic that uses a combination of optimised SEO search terms along with compromised web servers and websites to ensnare their victims.
Talos Cisco researchers Edmund Brumaghin, Earl Carter and Emmanuel Tacheau detailed the scheme which takes advantage of the fact that so many people simply ask Google for the answer to all the questions that pop up in their daily lives. However, criminals have figured out how to weaponise even innocuous questions like, “how many digits in karur vysya bank account number”.
The process that was developed is somewhat involved from a development point of view in that it does not need to be distributed via phishing or zero day exploits, instead the victims basically come and find the malware through Google and other search engines.
“The threat landscape is constantly evolving and threat actors are continually looking for new attack vectors to target their victims. Having a sound, layered, defence-in-depth strategy in place will help ensure that organisations can respond to the constantly changing threat landscape,” the researchers wrote.
Chris Olson, CEO of The Media Trust, told SC Media that in this case the bad guys managed to find a way around all the traditional defences in place.
"As this scenario highlights, the ability to compromise a legitimate enterprise is easier than most people realise. Unless websites are continuously monitored to detect anomalous code, these compromises will continue to happen."
In the scenario detailed by Talos a hacker first developed a list of search phrases based on banking-related words. In each case the phrase was optimised to have SEO geared toward what an average person might use. Particularly in the main targeted regions of India and the Middle East.
The next stop involves using compromised web servers that make sure the search phrase appears high on a page when the search phrase is used to ensure it would be chosen and clicked on. The next ingredient involves compromising highly-rated and reviewed business websites which were then used as the actual bait to be clicked on by the target.
Once the “web” is set the bad guys wait for the victims to appear.
When one of the compromised links is clicked the person is taken to an intermediary server where an HTTP 302 redirect then pushes them off to the primary malicious site. Here they are presented with a malicious Word document that the target is asked to download the document and is then prompted to open the file and click Enable Editing which sets off a malicious macro embedded in the document with the final result of Zeus Panda being dropped.
Before the malware goes to work it does test to detect the host language aborting the operation if it's Russian, Belarusian, Kazak or Ukrainian, strongly suggesting the attackers are Russia-based. It also looks to see if the computer is running and malware analyst tools along with the following hypervisor or sandbox environments: VMware, VirtualPC, VirtualBox, Parallels, Sandboxie, Wine or SoftIce.
If these checks are passed Zeus Panda goes to work stealing banking and other sensitive credentials. If not the malware removes itself.
Defending against this attack requires not only vigilance by companies to make sure the sites and servers are compromised, but that consumers pay attention to what they are clicking on and not enabling macros or open unknown attachments.