Spamhaus Malware Labs - Spamhaus's malware research unit - recently observed a wave of new PandaZeuS malware samples being distributed during the Christmas season. PandaZeuS, also known as Panda Banker, is an ebanking Trojan that evolved from the notorious ZeuS trojan and is being used by different threat actors to compromise ebanking credentials, used by cybercriminals to commit ebanking fraud.

Looking into two recent PandaZeuS campaigns that have just been spread before Christmas revealed that the most recent version of PandaZeuS comes with a few minor changes. An important one is the change in the encryption scheme of PandaZeuS’s Base Config. While PandaZeuS is still using the RC4 binary encryption scheme, it comes with some tiny modifications. First of all, the versioning of PandaZeuS got updated to 2.6.1:

New version 2.6.1

In the previous version, the base config was AES-265-CBC and RC4 encrypted . While this is still the case of the most recent version of PandaZeuS too, a slight modification in RC4 has been done:

PandaZeuS code snipped

The screenshot above documented the changes made to by the developers of PandaZeuS to the code:

1. Initial Key Stream Array is initialized
2. The State Array is modified 4 * 30 times and the keystream value is omitted
3. Reusing the previous indexes, State Array is modified and keystream values obtained is XORed with encrypted byte.

This can be represented in Python code as:

for i in range(256):
       j = (j + S[i] + ord(key[i % len(key)])) % 256
       S[i], S[j] = S[j], S[i]
       
   i = j = 0
   for x in range(0, 30 * 4):
        i = (i + 1) % 256
        j = (j + S[i]) % 256
        S[i], S[j] = S[j], S[i]
           
   for p in data:
       i = (i + 1) % 256
       j = (j + S[i]) % 256
       S[i], S[j] = S[j], S[i]

While we can only speculate about the reason of this minor change in the encryption scheme of PandaZeuS, we suspect the intent behind this code change is to break malware extractors used by malware researchers to extract botnet controllers from PandaZeuS malware samples.

Looking into sinkhole data of one of these PandaZeuS campaigns shows that the botnet is mainly targeting English-speaking internet users:

In addition, the associated botnet domain names are poorly detected:

• 262d65fc7f47.tk VT detection rate: 2/66
• 922b031aac47.tk VT detection rate: 3/66

Indicators of Compromise (IOC)

Campaign #1

PandaZeuS botnet controller URLs:

PandaZeuS botnet controller domain names (blocked by Spamhaus RPZ):

PandaZeuS botnet controllers (blocked by Spamhaus BCL):

Related malware samples (MD5):

Campaign #2

PandaZeuS botnet controller URLs:

PandaZeuS botnet controller domain names (blocked by Spamhaus RPZ):

PandaZeuS botnet controllers (blocked by Spamhaus BCL):

Related malware samples (MD5):

Related Spamhaus Products

• Spamhaus Response Policy Zone (RPZ)
• Spamhaus Botnet + Malware Domain List (BDL)
• Spamhaus Botnet Controller List (BCL)

Spamhaus Malware Labs is Spamhaus's malware research unit run in conjunction with Deteque, a subsidiary of Spamhaus Technology Ltd.