Pierluigi Paganini June 11, 2014

RSA Security’s FraudAction team released a report on Pandemiya, a new banking Trojan being sold in hacker forums as an alternative to the popular Zeus.

RSA Security’s FraudAction team issued a report on Pandemiya, a banking Trojan being proposed in the underground ecosystem as the most effective alternative to the Zeus banking Trojan.

Pandemiya Trojan is being sold for as much as $1500 USD for the core application, or $2000 USD for the core application including plugins for additional functionality. The malware includes all the principal features implemented in the most sophisticated banking malware  (file grabber, digital signature of the source code to avoid detection, data stealer, screen grabber, encrypted communication with the C&C), Pandemiya malware was designed with a modular approach, its authors have implemented the malware to be able to load external plug-ins which implement new features.

“Like many of the other Trojans we’ve seen of late, Pandemiya includes protective measures to encrypt the communication with the control panel, and prevent detection by automated network analyzers. An interesting aspect of the application is its modular design, which makes it quite easy to expand and add functionality.” states the blog post from RSA.

Pandemiya is considered by malware analysts a written-from-scratch trojan, the discovery of a malware totally new is considered an exceptional event. According to the experts at RSA, the author has spent a lot of effort in writing the Pandemiya, at least one year, which includes 25,000 lines of original code written in C. Probably the principal intent of malware authors is to avoid detection of principal end-point based security protection solutions as explained by Uri Fleyder, cybercrime research lab manager at RSA.

“In my opinion, the main reason to write a new malicious code completely from scratch is to bypass end-point based security protection solutions,” “Most of the security products for end-point devices are relying on previously known signatures and previously known behavioral patterns. It’s harder (from their point-of-view) to detect and block new threats which behave differently from all of the previously known ones.” Fleyder said. 

Additional features via pluggins are Reverse Proxy, FTP Stealer (with combination of an internal iFramer), PE infector (for startup) and experimental Plugins will be soon released including Reverse hidden RDP and Facebook spreader.

Usually malware coder create their versions starting from the numerous source code available in the wild, including Zeus, Citadel and Carberp, their choice to improve the popular code to be more effective and to be able to propose on the market their malicious agents in a short time.

The authors are trying to benefit from the latest success of international law enforcement against the GameOver Zeus botnet, proposing a new totally new product.

Pandemiya is being spread by exploit kits with a classic drive-by download scheme.

The industry of cybercrime never stops, it is creative and is able to respond to adverse events with fast and efficient solutions, for this reason it is necessary a joint effort of the major international law enforcement agencies to eradicate the threat.

Pierluigi Paganini

(Security Affairs –  Pandemiya, cybercrime)