Zeus Trojan Proliferates: Beware of Corrupted Google Search Results

Zeus banking Trojan returns with a new strength

In the beginning of November, 2017 cyber security experts started increasing anxiety among Internet users by spreading the warning about the manifestation of a new version of Zeus banking Trojan.[1] Known as Zeus Panda, this dangerous type of malware[2] has been circulating on the Internet since June, this year making unaware users of Google and other search engines tricked into revealing their banking and other sensitive credentials. Zeus Panda Trojan dispersed through browser's search results

New version – unprecedented distribution strategy

The code of the original Zeus banking Trojan was leaked in 2011. Since then, several groups of cyber villains exploited it for the development of new variants. However, neither ZeuS nor Zbot versions can be compared to the Zeus Panda, which is the most prolific and advanced in terms or distribution, infiltration, and performance.

Zeus Panda does not rely on old Zeus Trojan distribution techniques[3] like spam emails or phishing scams. Its developers exploit Search Engine Optimization (SEO) by leveraging the Google SERP (Search Engine Results Pages) ranking of the hacked sites. The websites are injected with carefully chosen keywords, thus making the malicious link positioned at the top of Google search results.

Cyber criminals target a particular set of keywords, which are queried by millions of people. In this particular way, the likelihood that a potential victim will click on the malicious link increases. Unfortunately, a full list of Zeus Panda infected keywords, a couple of examples have already been revealed by Talos:[4]

“nordea sweden bank account number”
“al rajhi bank working hours during ramadan”
“how many digits in karur vysya bank account number”
“free online books for bank clerk exam”
“how to cancel a cheque commonwealth bank”
“salary slip format in excel with formula free download”
“bank of baroda account balance check”
“bank guarantee format mt760”
“free online books for bank clerk exam”
“sbi bank recurring deposit form”
“axis bank mobile banking download link”

Execution via Microsoft Word document

The opening of a malicious website does not execute the Zeus.Panda malware immediately. When the potential victim enter a compromised search query into Google or other search and opens a compromised website, he or she experiences a series of redirects until the site with a disguised JavaScript and corrupted .doc file is opened.

If the man-on-the-browser opens a Microsoft Word document, he will get a pop-up asking to “Enable Editing,” “Enable Content” or warning that “Macros have been disabled.” As long as Macros is not enabled, the Zeus Panda executable (PE32) cannot be injected. Clicking the “Enable macros” downloads the malicious executable and saves it into the %TEMP% directory on the system using the difficult-to-recognize filename.

Panda Trojan currently targets users located in Sweden, India, Australia and Saudi Arabia

It has been found that the new Zeus Trojan variant is currently targeting Swedish, Indian, Australian, and Arabian users. The scope of its developers is not clear, but it’s easy to guess that they are not going to restrict the distribution of the malware.

Even now, some of the keywords revealed by Talos are rather universal, for example, free online books for bank clerk exam” or “how to cancel a cheque commonwealth bank.”

What makes the Zeus Panda Trojan campaign the most prolific and dangerous is the fact that the malware does not have an interface and features a well-developed self-destruction mechanism.[5] In other words, it does not let the user of infected PC understand that the Trojan is on-board.

Besides, to prevent detection and analysis, Panda virus verifies the system before execution and runs in a sane environment only. By checking the virtual environment, the malware prevents itself from running on virtual machines.

The fact that devices based in Russia, Belarus, the Ukraine and Kazakhstan are bypassed by the newest version of banking Trojan has aroused various speculations about its origin. Upon the installation, it checks the keyboard mapping and if it matches any of the above-mentioned countries, the Zeus Panda destructs itself automatically.

The malware is hard to detect

The Panda variant of Zeus Trojan does not have a destructive behavior, which makes it difficult or practically impossible to detect. If the victim does not use a professional anti-malware tool or the tool is out-of-date, the Trojan it may steal victim’s personal information for quite a long time.

According to security experts,[6] the most of the reputable anti-malware programs are capable of recognizing the Zeus Panda Trojan code. Therefore, it’s advisable to install the latest definitions for your security tool and keep the guard up.

Finally, be cautious about the content you click on when browsing. If you noticed a suspicious link, which contains typo mistakes or enter a website that causes a series of redirects and urge to download PDF or Word files, we would strongly recommend bypassing the link of closing the site immediately unless you are hundred percent sure about it being secure.

About the author
Ugnius Kiguolis
Ugnius Kiguolis - The problem solver

Ugnius Kiguolis is the founder and editor-in-chief of UGetFix. He is a professional security specialist and malware analyst who has been working in IT industry for over 20 years.

Contact Ugnius Kiguolis
About the company Esolutions