Zeus Panda poisoned search results

When you think you've seen it all, malware authors always find a way to impress you. Today's "that's clever!" moment comes courtesy of a criminal group that's been spreading a new version of the Zeus Panda banking trojan since June, this year.

Instead of relying on old techniques of malvertising and spam campaigns, this group has taken a novel approach, never before seen in the distribution of banking trojans.

Black-hat SEO, for the win!

This Zeus Panda group decided to rely on a network of hacked websites, on which they inserted carefully chosen keywords in new pages or hid the keywords inside existing pages.

The group leveraged the favorable Google SERP (Search Engine Results Pages) ranking of the hacked sites to position these malicious pages at the top of Google search results for specific queries related to online banking and personal finances.

For example, a person searching for "al rajhi bank working hours in ramadan" would see a malicious link ranked at the top of Google search results.

Users clicking on these links would arrive on the hacked site, from where malicious JavaScript code would execute in the background and redirected the user through a series of sites until he reached one offering a Word document for download.

Malware group combines SEO spam and malvertising

This tangled chain of URL redirections is specific to malvertising campaigns that jolt users from sites running tainted ads to exploit kits, tech support scams, or fake software updaters.

The Zeus Panda group basically combined SEO spam botnets (made up of hacked sites hiding secret keywords that boost the SEO reputation of other sites) with a classic malvertising-to-exploit-kit redirection chain.

The Word document users got would be identical to the one someone would get if they received it via a spam email. The only difference would be how they got it, but not what was inside.

Group pushed new Zeus Panda banking trojan version

The Word file still relies on users enabling macro execution, which starts a series of hidden scripts that install a new variant of the Zeus Panda banking trojan, previously analyzed by the G Data crew here.

Cisco Talos — who discovered this hybrid SEO-malvertising Zeus Panda distribution campaign taking place over the summer — has also released a report with technical details about the distribution campaign, the Google search queries for which malicious pages showed up, and extra details on the new Zeus Panda variant.

"The overall configuration and operation of the infrastructure used to distribute this malware was interesting as it did not rely on distribution methods that Talos regularly sees being used for the distribution of malware," Talos wrote in its report. "This is another example of how attackers regularly refine and change their techniques and illustrates why ongoing consumption of threat intelligence is essential for ensuring that organizations remain protected against new threats over time."

Image credits: Egon Låstad, Bleeping Computer