Guide to Remove Panda Banker Trojan from the system

Zeus Panda, Panda or Panda Banker is a spin-off of the Zeus Banking Trojan. First seen in 2016 as one of the many variants that cropped up in the wake of the Zeus source code, Panda has fulfilled its function as a banking Trojan since then. Looking to harvest credentials of online banking, payments & other financial portals, the majority of its code is derived from the original Zeus Trojan. The Trojan is designed to target Windows Operating system & leverages man-in the browser/ web injects attack techniques to fulfill the purpose of stealing. 

Zeus Panda follows its predecessor & hence primarily targets financial sector & crypto currency sites. In addition it expands its attack in different organization sectors like social networking sites, search, Email & adult sites. The attack strategy of this malware is more or less same with some minor modifications in dynamic configurations.

The full arsenal of attack techniques adopted by Panda banker Trojan includes:

1. Taking Screenshots (up to 100 per mouse click)
2. Key logging
3. The ability to grab passwords from clipboard & place them into form fields
4. Exploits for the Virtual Network Computing desktop-sharing system
5. Clearing cache & cookies

Stealth capabilities of the malware make not only detection but its analysis difficult.

Panda Banker Distribution Tactics

Malware scripts turn to deception to invade. So does Panda Banker. It launches attack campaigns with a diversity of loaders & exploit kits. The malware script is distributed via:

1. Drive by Downloads: This implies unintended download of malicious software from the internet. The software gets downloaded by either of the two ways:

• Software Bundling: Such downloads occur without user knowledge. Threat actors embed the malicious code in the payload of the authenticated software. User negligence in downloading the software without following proper procedures or ignoring the steps may result in unintentional download of Panda banker Trojan.
• Downloads which a person has authorized without understanding the consequences. Example, Downloads that install an unknown or counterfeit executable program, Java applet etc automatically.

2. Phishing mails: Panda Banker is more often distributed via spam email attachments. These attachments can be named as anything which can grab user’s attention and triggers him/her to open the attachment. The Trojan corrupts the system with the malicious script when user enables macros of the document attached.
3. Malevolent sites: Hooking search results to infected pages is one more way to distribute Panda banker Trojan. Infected websites include malicious script that runs as soon as the user visits the site. Such websites include but are not limited to porn sites, torrent sites & other free downloading sites.

Threat Behavior of Panda banker Trojan

The infestation of Panda banker Trojan in the system encounters you with an endless array of negatives. Once successfully installed, the malware begins to query the victim’s system to get information like:

• Antivirus installed
• Operating system information
• Username
• Local time
• IP (Internet Protocol)
• GPS (Global Positioning System) etc

The gathered information is sent to C&C (Command & Control Centre), where threat actors on basis of this information obfuscate JSON data to the victim system. Malware downloads further commands, web inject data & configure the system accordingly.

Finally malware begins unauthorized malicious activities like stealing credentials, generating fraudulent transactions using Automatic Transfer System (ATS), web inject ,installing ransomware, crypto mining etc.

How to avoid Panda banker Trojan invasion in the system?

1. Users are recommended to keep the operating system and applications with the latest patches.
2. Don’t open attachments in unsolicited emails
3. Following safe practices when surfing net goes a long way
4. Make sure your system is protected with up-to-date versions of anti-virus, anti-spyware software like Vipre& BULL GUARD.
5. Enable Windows Defender Application & Credential Guards to protect credential theft attacks, block automatic installation of unauthorized apps etc.

Threat Summary

Name: Panda Banker

Browsers Affected: Internet Explorer, Google Chrome, Microsoft Edge and Firefox

Targeted Operating System: Windows

Category: Trojan

Steps to Remove Panda Banker Trojan from the system.

STEP A: Reboot your system to safe mode with networking

To restart the system to Safe Mode with Networking,  if already switched ON then follow the below steps:

Windows 7/ Vista/ XP

1. Click on Windows icon present in the lower left corner of the computer screen.
2. Select and click  Restart.
3. When the screen goes blank, Keep tapping  F8  Key until you see the Advanced Boot Options window.
4. With the help of arrow keys on keyboard, Select Safe Mode with Networking  option from the list and press the Enter Key. The system will then restart to Safe Mode with Networking.

5 Click on the username and enter the password (if any).

Windows 10 / Windows 8

1. Press and hold the Shift Key and simultaneously click on the windows icon present in the lower left corner of your computer screen.
2. While the Shift key is still pressed click on the Power button and then click on Restart.
3. Now select Troubleshoot → Advanced options → Startup Settings.
4. When the Startup Settings screen appears which is the first screen to appear after restart, select and click on Enable Safe Mode with Networking. The system will then restart to Safe Mode with Networking.
5. Click on the username and enter the password.

STEP B: Remove the malicious file from System Configuration Settings

1. Type “Msconfig” in search box / Run Box, select it and press Enter.
2. Click on “Services” Tab and click on “Hide all Microsoft services”.
3. Select Panda Banker Trojan from the list of remaining services and disable it by removing the tick mark from the checkbox and click on Apply button.

Windows 7

1. Click on the next tab – “Startup”.
2. Find any blank or suspicious entry or the entry with Panda Banker Trojan mentioned and remove the check mark.
3. Click on Apply button and then click on OK.

Windows 10

1. Click on the next tab – “Startup”.
2. Take the mouse cursor to ‘Open task Manager‘ link and click on it.  This opens the Task Manager window.
3. Find any blank or suspicious entry or the entry with Panda Banker Trojan mentioned and click on it.
4. Then click on Disable button.

STEP C: Delete the suspicious file from the Registry key 

1. Type “Regedit” in search box / Run Box, select it and press Enter.
2. An authorization dialog box will appear, then you just have to click “Yes”. (The dialog box appearance may vary depending on OS used. For Windows 10 the the dialog box looks like the first screenshot and for windows 7 it appears like the second screenshot)
3. In the registry editor, take the backup of the current registry settings before making any changes in case you want to revert to old settings later. For this, Click on File option in the menu and select Export. Save the entry at a known location.
4. From the Menu, Click Edit and Select Find.
5. Enter Panda Banker Trojan and click OK in the search box.
6. Select and delete suspicious  entries.