Rio 2016: Zeus Panda Banking Trojan Arrives in Brazil

A variant of the Zeus banking Trojan has arrived in Brazil just in time for the 2016 Olympic Games in Rio de Janeiro.

Experts at IBM X-Force Research say Zeus Panda is based on existing code and exhibits much of the same behaviour as other Zeus types but has some modifications, mostly related to its encryption and communication schemes.

Zeus Panda has targeted Europe and North America since early 2016, targeting online payments, prepaid cards, betting accounts and other financial transactions.

Rio 2016 Zeus Panda

It arrived in Brazil in July, targeting local banks, law enforcement agencies and even supermarket chain delivery services. Researchers suspect a cybercrime group at least partly located in the south American country is responsible.

Botnets spread the malware to infected machines, making use of exploit kits like Angler and Neutrino. A popular attack method is a malicious Microsoft Word document, but Zeus Panda has also targeted specific company email addresses with personalised messages.

Its favoured fraud methodology is account takeover where credentials are stolen and used to initiate a transaction from another device. The victim is then held online by deceptive pop up windows that allow the attacker to complete the fraudulent attack in real time.

Targeting Brazil

“Panda’s move to Brazil is a very interesting occurrence in the country,” said IBM executive security advisor Limor Kessem. “Brazil’s cybercrime landscape is dominated by relatively simplistic codes designed for specific fraud scenarios, such as Boleto fraud, remote access fraud and malware used for phishing.

“Zeus Panda may not be the first ever modular banking Trojan to operate in Brazil, but it is definitely a major step up from the malicious Delphi-based malcode that’s so typical in the country. This migration of a new and commercial Zeus variant into Brazil also underscores the growing collaboration between Brazil-based cybercriminals and cybercrime vendors from other countries and underground communities — a trend that has been picking up speed in Brazil since the beginning of this year.

“Judging by recent emerging campaigns observed by X-Force Research, Zeus Panda appears to be an active and evolving project that is being commercialized to cybercriminals through Dark Web forums. As such, we expect to see more variations of this malware and new botnets appearing in the coming months, likely targeting different countries beyond those appearing in current configurations.”

Rio 2016 is a target for cybercriminals, with recent research from Proofpoint suggesting there are 4,500 malicious apps on popular marketplaces attempting to capitalise on the Games, while 15 percent of social media accounts associated with the Olympics are fraudulent.

Excited for the Olympics? Try our sporting IT quiz!