JUST RELEASED: ATT&CK for Industrial Control Systems

Zeus Panda

Zeus Panda is a Trojan designed to steal banking information and other sensitive credentials for exfiltration. Zeus Panda’s original source code was leaked in 2011, allowing threat actors to use its source code as a basis for new malware variants. It is mainly used to target Windows operating systems ranging from Windows XP through Windows 10.[1][2]

ID: S0330
Platforms: Windows
Version: 1.0
Created: 29 January 2019
Last Modified: 16 April 2019

Techniques Used

Domain ID Name Use
Enterprise T1115 Clipboard Data

Zeus Panda can hook GetClipboardData function to watch for clipboard pastes to collect.[2]

Enterprise T1059 Command-Line Interface

Zeus Panda can launch an interface where it can execute several commands on the victim’s PC.[2]

Enterprise T1140 Deobfuscate/Decode Files or Information

Zeus Panda decrypts strings in the code during the execution process.[1]

Enterprise T1083 File and Directory Discovery

Zeus Panda searches for specific directories on the victim’s machine.[2]

Enterprise T1107 File Deletion

Zeus Panda has a command to delete a file.[2]

Enterprise T1179 Hooking

Zeus Panda hooks processes by leveraging its own IAT hooked functions.[2]

Enterprise T1070 Indicator Removal on Host

Zeus Panda can uninstall scripts and delete files to cover its track.[2]

Enterprise T1056 Input Capture

Zeus Panda can perform keylogging on the victim’s machine by hooking the functions TranslateMessage and WM_KEYDOWN.[2]

Enterprise T1112 Modify Registry

Zeus Panda modifies several Registry keys under HKCU\Software\Microsoft\Internet Explorer\ PhishingFilter\ to disable phishing filters.[2]

Enterprise T1027 Obfuscated Files or Information

Zeus Panda encrypts strings with XOR and obfuscates the macro code from the initial payload. Zeus Panda also encrypts all configuration and settings in AES and RC4.[1][2]

Enterprise T1086 PowerShell

Zeus Panda uses PowerShell to download and execute the payload.[1]

Enterprise T1057 Process Discovery

Zeus Panda checks for running processes on the victim’s machine.[2]

Enterprise T1055 Process Injection

Zeus Panda checks processes on the system and if they meet the necessary requirements, it injects into that process.[2]

Enterprise T1012 Query Registry

Zeus Panda checks for the existence of a Registry key and if it contains certain values.[2]

Enterprise T1060 Registry Run Keys / Startup Folder

Zeus Panda adds persistence by creating Registry Run keys.[1][2]

Enterprise T1105 Remote File Copy

Zeus Panda can download additional malware plug-in modules and execute them on the victim’s machine.[2]

Enterprise T1113 Screen Capture

Zeus Panda can take screenshots of the victim’s machine.[2]

Enterprise T1064 Scripting

Zeus Panda can launch remote scripts on the victim’s machine.[2]

Enterprise T1063 Security Software Discovery

Zeus Panda checks to see if anti-virus, anti-spyware, or firewall products are installed in the victim’s environment.[1][2]

Enterprise T1071 Standard Application Layer Protocol

Zeus Panda uses HTTP for C2 communications.[1]

Enterprise T1082 System Information Discovery

Zeus Panda collects the OS version, system architecture, computer name, product ID, install date, and information on the keyboard mapping to determine the language used on the system.[1][2]

Enterprise T1124 System Time Discovery

Zeus Panda collects the current system time (UTC) and sends it back to the C2 server.[2]