Register to stream ATT&CKcon 2.0 October 29-30

Zeus Panda

Zeus Panda is a Trojan designed to steal banking information and other sensitive credentials for exfiltration. Zeus Panda’s original source code was leaked in 2011, allowing threat actors to use its source code as a basis for new malware variants. It is mainly used to target Windows operating systems ranging from Windows XP through Windows 10.[1][2]

ID: S0330
Type: MALWARE
Platforms: Windows
Version: 1.0

Techniques Used

Domain ID Name Use
Enterprise T1115 Clipboard Data Zeus Panda can hook GetClipboardData function to watch for clipboard pastes to collect. [2]
Enterprise T1059 Command-Line Interface Zeus Panda can launch an interface where it can execute several commands on the victim’s PC. [2]
Enterprise T1140 Deobfuscate/Decode Files or Information Zeus Panda decrypts strings in the code during the execution process. [1]
Enterprise T1083 File and Directory Discovery Zeus Panda searches for specific directories on the victim’s machine. [2]
Enterprise T1107 File Deletion Zeus Panda has a command to delete a file. [2]
Enterprise T1179 Hooking Zeus Panda hooks processes by leveraging its own IAT hooked functions. [2]
Enterprise T1070 Indicator Removal on Host Zeus Panda can uninstall scripts and delete files to cover its track. [2]
Enterprise T1056 Input Capture Zeus Panda can perform keylogging on the victim’s machine by hooking the functions TranslateMessage and WM_KEYDOWN. [2]
Enterprise T1112 Modify Registry Zeus Panda modifies several Registry keys under HKCU\Software\Microsoft\Internet Explorer\ PhishingFilter\ to disable phishing filters. [2]
Enterprise T1027 Obfuscated Files or Information Zeus Panda encrypts strings with XOR and obfuscates the macro code from the initial payload. Zeus Panda also encrypts all configuration and settings in AES and RC4. [1] [2]
Enterprise T1086 PowerShell Zeus Panda uses PowerShell to download and execute the payload. [1]
Enterprise T1057 Process Discovery Zeus Panda checks for running processes on the victim’s machine. [2]
Enterprise T1055 Process Injection Zeus Panda checks processes on the system and if they meet the necessary requirements, it injects into that process. [2]
Enterprise T1012 Query Registry Zeus Panda checks for the existence of a Registry key and if it contains certain values. [2]
Enterprise T1060 Registry Run Keys / Startup Folder Zeus Panda adds persistence by creating Registry Run keys. [1] [2]
Enterprise T1105 Remote File Copy Zeus Panda can download additional malware plug-in modules and execute them on the victim’s machine. [2]
Enterprise T1113 Screen Capture Zeus Panda can take screenshots of the victim’s machine. [2]
Enterprise T1064 Scripting Zeus Panda can launch remote scripts on the victim’s machine. [2]
Enterprise T1063 Security Software Discovery Zeus Panda checks to see if anti-virus, anti-spyware, or firewall products are installed in the victim’s environment. [1] [2]
Enterprise T1071 Standard Application Layer Protocol Zeus Panda uses HTTP for C2 communications. [1]
Enterprise T1082 System Information Discovery Zeus Panda collects the OS version, system architecture, computer name, product ID, install date, and information on the keyboard mapping to determine the language used on the system. [1] [2]
Enterprise T1124 System Time Discovery Zeus Panda collects the current system time (UTC) and sends it back to the C2 server. [2]

References