Bamboo Spider, TA544

Description

Zeus Panda, Panda Banker, or Panda is a variant of the original Zeus under the banking Trojan category. Its discovery was in 2016 in Brazil around the time of the Olympic Games. The majority of the code is derived from the original Zeus trojan, and maintains the coding to carry out man-in-the-browser, keystroke logging, and form grabbing attacks. ZeuS Panda launches attack campaigns with a variety of exploit kits and loaders by way of drive-by downloads and phishing emails, and also hooking internet search results to infected pages. Stealth capabilities make not only detecting but analyzing the malware difficult.

GozNym has been observed to be distributed via the Avalanche botnet.

Zeus Panda has been observed to be distributed by Emotet (operated by Mummy Spider, TA542), Smoke Loader (operated by Smoky Spider), Cutwail (operated by Narwhal Spider) and Kelihos (operated by Zombie Spider).

Names

Name	Name-Giver
Bamboo Spider	CrowdStrike
TA544	Proofpoint

Country

• Unknown

Motivation

• Financial crime

First Seen

2016

Observed Sectors

• Financial
• Hospitality
• IT
• Manufacturing
• Retail
• Technology

Observed Countries

• Brazil
• Canada
• Germany
• Italy
• Japan
• Netherlands
• Poland
• Spain
• UK
• USA
• other

Tools

• Chthonic
• Gozi ISFB
• GozNym
• Nymaim
• Zeus OpenSSL
• Zeus Panda
• Smoke Loader
• URLZone
• ZLoader

Operations

• 2016-04: Attacks against more than 24 U.S. and Canadian banks https://securityintelligence.com/meet-goznym-the-banking-malware-offspring-of-gozi-isfb-and-nymaim/
• 2016-04: Attacks on banks in Poland https://threatpost.com/attackers-behind-goznym-trojan-set-sights-on-europe/117647/
• 2016-06: Attacks on banks in the USA https://www.computerworld.com/article/3088102/goznym-trojan-targets-business-accounts-at-major-us-banks.html
• 2016-06: LinkedIn information used to spread banking malware in the Netherlands https://blog.fox-it.com/2016/06/07/linkedin-information-used-to-spread-banking-malware-in-the-netherlands/
• 2016-07: Zeus Panda Delivered By Sundown - Targets UK Banks https://www.forcepoint.com/tr/blog/x-labs/zeus-panda-delivered-sundown-targets-uk-banks
• 2016-08: Banking Trojan Zeus Panda shambles into Brazil ahead of Olympics https://techcrunch.com/2016/08/04/banking-trojan-zeus-panda-shambles-into-brazil-ahead-of-olympics/
• 2016-08: Attacks on banks in Germany https://threatpost.com/goznym-banking-trojan-targeting-german-banks/120075/
• 2017-10: Poisoning the Well: Banking Trojan Targets Google Search Results https://blog.talosintelligence.com/2017/11/zeus-panda-campaign.html
• 2017-12: Zeus Panda Banking Trojan Targets Online Holiday Shoppers https://www.proofpoint.com/us/threat-insight/post/zeus-panda-banking-trojan-targets-online-holiday-shoppers https://blog.fox-it.com/2017/12/12/criminals-in-a-festive-mood/
• 2018-03: Panda Banker Zeros in on Japanese Targets https://www.netscout.com/blog/asert/panda-banker-zeros-japanese-targets
• 2018-06: Zeus Panda Advanced Banking Trojan Gets Creative to Scam Affluent Victims in Italy https://cofense.com/zeus-panda-advanced-banking-trojan-gets-creative-scam-affluent-victims-italy/
• 2018-07: Emotet infection traffic with Zeus Panda Banker https://www.malware-traffic-analysis.net/2018/07/19/index.html
• 2018-08: For the past weeks our Threat Intelligence team has been following an enxtesive campaign, possibly operated by the same group, targeting a large amount of financial institutions, cyptocurrency wallets and the occasional Google and Apple accounts. https://reaqta.com/2018/09/global-malware-campaign-using-zeus-panda/
• 2020-03: Zeus Sphinx Trojan Awakens Amidst Coronavirus Spam Frenzy https://securityintelligence.com/posts/zeus-sphinx-trojan-awakens-amidst-coronavirus-spam-frenzy/
• 2020-05: Zeus Sphinx Back in Business: Some Core Modifications Arise https://securityintelligence.com/posts/zeus-sphinx-back-in-business-some-core-modifications-arise/
• 2021-09: TA544 Targets Italian Organizations with Ursnif Malware https://www.proofpoint.com/us/blog/security-briefs/ta544-targets-italian-organizations-ursnif-malware

Counter Operations

• 2019-05: GozNym Malware: Cybercriminal Network Dismantled in International Operation https://www.europol.europa.eu/newsroom/news/goznym-malware-cybercriminal-network-dismantled-in-international-operation
• 2022-04: Notorious cybercrime gang’s botnet disrupted https://blogs.microsoft.com/on-the-issues/2022/04/13/zloader-botnet-disrupted-malware-ukraine/

Other Information

Uuid

ea10af8f-5a02-415e-aa8f-3e1b62bcaccf

Last Card Change

2022-05-03