Google Search Results Exploited to Distribute Zeus Panda Banking Trojan

Until now, we believed that to advertise and promote your business or brand, Search Engine Optimization (SEO) was the best possible solution. Similarly, users relied upon the search results on popular and trusted platforms like Google and clicked on the links without thinking twice.

However, now we might need to be a bit more cautious while clicking on search engine results because cybercriminals have identified a way to exploit them as well. This is called SEO-malvertising and SERP Poisoning.

According to the analysis of security firm Cisco Talos, cybercriminals have learned the art of exploiting SEO to distribute their malicious links containing the notorious Zeus Panda banking Trojan to a wider range of users as they click on search results. This would be helpful for them in gaining more victims. A group of hacked websites is being used by the Zeus Panda group to embed keywords either in new pages or existing ones.

The Zeus Panda distribution scheme is quite interesting, noted Cisco Talos researchers, since its configuration and operation infrastructure doesn’t rely upon conventional distribution methods adopted by hackers to distribute malware. Instead, infected or compromised business websites are being used for this purpose. The hackers carefully choose these websites based on their high ratings and reviews on the search engine. That is an important step because their ratings and review would eventually lead to making the results look authentic to the victims (users).

Hackers have targeted various keyword groups in this campaign; the majority of them are linked to financial or banking related information which users are believed to be searching for on a regular basis. Furthermore, specific geographic locations have directly been singled out for the attack, and numerous keyword groups are targeted to the Middle East and India based financial institutions.

The finance-related keywords are selected on purpose by cybercriminals to ensure that the infected links are displayed so that the conversion rate gets maximized. The compromised devices are then monitored so that information about the financial platforms used by the user could be attained, and login credentials on these forums, banking details, and credit card information are obtained.

Hackers ask victims to call them at the phone number provided in the warning message. (Credit: Cisco)

When the infected link is clicked upon by the victim, they would be redirected to the compromised websites while a malicious JavaScript code will get executed sneakily in the background. The code will then forward a list of websites to the victim until a website containing downloadable MS Word document appears, hinting on the fact that cybercriminals have used the “302 cushioning” technique to lure users into downloading this document.

Malware infected doc file (Credit: Cisco)

Afterward, the user is prompted to either Open or Save this file; when it is opened the document requests the victim to click on Enable Content and Enable Editing, which leads to execution of malicious macros. These macros then download and execute a PE32 executable to infect the whole system.

The malicious payload used in this campaign seems to be a new variant of Zeus Panda, which can steal banking and similar sensitive data. This is a multi-stage payload featuring various anti-analysis tactics to avoid detection. It also displays various evasion techniques to make sure that the malware doesn’t get executed in sandboxes or analysis environments.

To stay protected, Talos researchers recommend that users need to implement layered defenses and to remain alert and be cautious while clicking on any link, attachment or Google search results.

Related Posts