SEO Poisoning Used to Distribute Panda Banker Trojan

Since approximately mid-2017, threat actors have been using Search Engine Optimization (SEO) poisoning techniques to manipulate search engines into ranking malicious links above legitimate search results when users search specific banking and finance-related keywords with the intent of delivering the Panda Banker trojan to unsuspecting victims. The actors leverage compromised web servers to change the search engine output and, in some cases, display the malicious link multiple times within the first page of returned results. The actors also exploit compromised websites that have previously established positive ratings and reviews to appear legitimate to end users. Upon visiting one of these malicious links, a multi-stage malware infection is initiated on the user’s system beginning with a redirection to an intermediary server via JavaScript. This server responds to an HTTP GET request with HTTP status code 302, redirecting the user to yet another compromised site modified to deliver a malicious Word document to the user’s system, a technique known as “302 cushioning” that is used by severalexploit kits. If the user opens and enables macros on the malicious document, the user’s system is infected with the Panda Banker trojan. The NJCCIC recommends all users review both the Cisco Talos report and the NJCCIC profile on Panda Bankerand avoid downloading and opening files delivered unexpectedly after visiting a website. Additionally, never enable macros on unsolicited Microsoft Office documents. If a Panda Banker infection is suspected, isolate the affected system from the network immediately and perform a full system scan using a reputable anti-malware solution. Proactively monitor and change passwords to any financial, personal, or business accounts accessed on infected systems and enable two-factor authentication (2FA) where available.