U.S. CISA adds a Microsoft SharePoint Server flaw to its Known Exploited Vulnerabilities catalog|430,000 FortiGate Devices Exposed in FortiBleed Ransomware Link|Adobe fixed multiple maximum-severity flaws in ColdFusion and Campaign Classic|Alleged Scattered Spider Hacker Extradited to U.S. to Face Cybercrime Charges|Oracle E-Business Suite Flaw Under Active Attack, 950 Systems Exposed|Azure CLI Targeted in LSHIY Password Spray Campaign Across 64 Orgs|CISA Warns BlueHammer Flaw Is Now Exploited in Ransomware Attacks|RustDuck: The Botnet That’s Still Small but Engineering Like It Plans to Grow|GuardFall Flaw Hits 10 of 11 Popular Open-Source AI Agents|XSS.is, The Forum That Ran the Ransomware Supply Chain Is Down. The Market Isn’t|U.S. CISA adds SimpleHelp flaw to its Known Exploited Vulnerabilities catalog|Hackers Steal Data of 4.38 Million Aflac Japan Customers|U.S. CISA adds a Microsoft SharePoint Server flaw to its Known Exploited Vulnerabilities catalog|430,000 FortiGate Devices Exposed in FortiBleed Ransomware Link|Adobe fixed multiple maximum-severity flaws in ColdFusion and Campaign Classic|Alleged Scattered Spider Hacker Extradited to U.S. to Face Cybercrime Charges|Oracle E-Business Suite Flaw Under Active Attack, 950 Systems Exposed|Azure CLI Targeted in LSHIY Password Spray Campaign Across 64 Orgs|CISA Warns BlueHammer Flaw Is Now Exploited in Ransomware Attacks|RustDuck: The Botnet That’s Still Small but Engineering Like It Plans to Grow|GuardFall Flaw Hits 10 of 11 Popular Open-Source AI Agents|XSS.is, The Forum That Ran the Ransomware Supply Chain Is Down. The Market Isn’t|U.S. CISA adds SimpleHelp flaw to its Known Exploited Vulnerabilities catalog|Hackers Steal Data of 4.38 Million Aflac Japan Customers|
Advertisement

Ad Placeholder

Full Width × 90

Cyber Crime

Pandemiya is a written-from-scratch trojan being sold in the underground

RSA Security’s FraudAction team released a report on Pandemiya, a new banking Trojan being sold in hacker forums as an alternative to the popular Zeus. RSA Security’s FraudAction team issued a report on Pandemiya, a banking Trojan being proposed in the underground ecosystem as the most effective alternative to the Zeus banking Trojan. Pandemiya Trojan is being sold for as […]

Pandemiya is a written-from-scratch trojan being sold in the underground

RSA Security’s FraudAction team released a report on Pandemiya, a new banking Trojan being sold in hacker forums as an alternative to the popular Zeus.

RSA Security’s FraudAction team issued a report on Pandemiya, a banking Trojan being proposed in the underground ecosystem as the most effective alternative to the Zeus banking Trojan.

Pandemiya Trojan is being sold for as much as $1500 USD for the core application, or $2000 USD for the core application including plugins for additional functionality. The malware includes all the principal features implemented in the most sophisticated banking malware  (file grabber, digital signature of the source code to avoid detection, data stealer, screen grabber, encrypted communication with the C&C)Pandemiya malware was designed with a modular approach, its authors have implemented the malware to be able to load external plug-ins which implement new features.

“Like many of the other Trojans we’ve seen of late, Pandemiya includes protective measures to encrypt the communication with the control panel, and prevent detection by automated network analyzers. An interesting aspect of the application is its modular design, which makes it quite easy to expand and add functionality.” states the blog post from RSA.

Pandemiya is considered by malware analysts a written-from-scratch trojan, the discovery of a malware totally new is considered an exceptional event. According to the experts at RSA, the author has spent a lot of effort in writing the Pandemiya, at least one year, which includes 25,000 lines of original code written in C. Probably the principal intent of malware authors is to avoid detection of principal end-point based security protection solutions as explained by Uri Fleyder, cybercrime research lab manager at RSA.

“In my opinion, the main reason to write a new malicious code completely from scratch is to bypass end-point based security protection solutions,” “Most of the security products for end-point devices are relying on previously known signatures and previously known behavioral patterns. It’s harder (from their point-of-view) to detect and block new threats which behave differently from all of the previously known ones.” Fleyder said. 

Additional features via pluggins are Reverse Proxy, FTP Stealer (with combination of an internal iFramer), PE infector (for startup) and experimental Plugins will be soon released including Reverse hidden RDP and Facebook spreader.

pandemiya banking trojan

Usually malware coder create their versions starting from the numerous source code available in the wild, including Zeus, Citadel and Carberp, their choice to improve the popular code to be more effective and to be able to propose on the market their malicious agents in a short time.

The authors are trying to benefit from the latest success of international law enforcement against the GameOver Zeus botnet, proposing a new totally new product.

Pandemiya is being spread by exploit kits with a classic drive-by download scheme.

The industry of cybercrime never stops, it is creative and is able to respond to adverse events with fast and efficient solutions, for this reason it is necessary a joint effort of the major international law enforcement agencies to eradicate the threat.

Pierluigi Paganini

(Security Affairs –  Pandemiya, cybercrime)