Hackers Use Google Search Results to Spread Malware
Cybercriminals are continually finding new ways to distribute their malicious software. This time, they took advantage of Google search results in spreading their malware.
Researchers at Cisco discovered that Google search results are being used by cybercriminals for spreading their malware. Cybercriminals took advantage of the links provided by Google search results in spreading the new version of the banking malware dubbed as “Zeus Panda”, also known as “Panda Banker”.
Google search is the digital world’s go-to place whenever we want to know something. Google answers our questions by providing links that it believes (based on its algorithm or criteria) are the best responses to our queries.
Billions of people around the world are using Google search. According to StatCounter, a Dublin-based web tracking service, as of October 2017, Google received the bulk of the search engine market share worldwide (91.47%), followed by Bing (2.75%), Yahoo (2.25%) and Baidu (1.8%).
Zeus Panda, the malware distributed by the threat actors via malicious links on Google search, is a malware that borrows some of the code of another malware called “Zeus” – a malware that first appeared in 2007. Cybercriminals have since earned hundreds of millions of dollars using the Zeus malware by stealing banking credentials and generating fraudulent banking transactions.
How Zeus Panda Spreads via Google Search ResultsIn order that these malicious links show up on the first page of Google search results, threat actors used the process called “SEO”, short for search engine optimization. Google, for its part, allows legitimate SEO – referred to as "whitehat" SEO. One of the legitimate SEO techniques used by the threat actors is the use of targeted banking related keywords to zero in their target victims.
“By targeting primarily financial-related keyword searches and ensuring that their malicious results are displayed, the attacker can attempt to maximize the conversion rate of their infections as they can be confident that infected users will be regularly using various financial platforms and thus will enable the attacker to quickly obtain credentials, banking and credit card information, etc.,” Cisco researchers said.
Threat actors, for instance, used the banking related keywords "al rajhi bank working hours during ramadan". The screencap below from Cisco researchers shows one of the top links in the Google search results for the above-mentioned keywords.
Below are the other keywords used by the threat actors:
"nordea sweden bank account number"
"how many digits in karur vysya bank account number"
"how to cancel a cheque commonwealth bank"
"salary slip format in excel with formula free download"
"bank of baroda account balance check"
"bank guarantee format mt760"
"sbi bank recurring deposit form"
"axis bank mobile banking download link"
As can be gleaned from the above-mentioned keywords, certain geographic regions appear to be directly targeted, with many of these keywords targeting users trying to search about financial institutions in India as well as the Middle East. The treat actors compromised business websites that have received high number of reviews and high ratings to appear legitimate to victims. Once a victim clicks on this compromised link, a multi-stage malware infection process is then initiated.
As shown below, the victim is redirected to a compromised site that shows a fake alert from Windows Defender that the Zeus virus is detected.
Once the victim clicks the “OK” button, the victim is once again redirected to another compromised site which hosts a malicious Word document as shown below.
Clicking on the "Enable Editing" and click "Enable Content" will initiate the downloading of the new version of Zeus Panda malware into the victim's computer.
This new version of Zeus Panda shares many characteristics of its predecessor Zeus Panda. Both borrowed the code of Zeus malware – the creator of which released the source code to the public in 2011. Both are designed to steal banking and other sensitive credentials and conduct fraudulent banking transactions.
Zeus Panda malware was first discovered by the researcher only known as “Fox IT” in February 2016. As reported by Proofpoint, this early version of Zeus Panda stole banking credentials of customers from European and Australian banks, UK online casinos and international online payment systems.
Unlike the new version of the malware which uses Google search results to spread the malware, the older version of Zeus Panda was spread using malicious email attachments, malicious email links and web injects.
In August 2016, Proofpoint found that millions of emails were sent to organizations involved in manufacturing, retail, insurance and related sector. The email messages masquerading as coming from legitimate banks contained malicious links leading to Microsoft Word documents. These documents contain macros which, if enabled, download Zeus Panda malware.
In October of this year, IBM reported that customers in North America were targeted by the Zeus Panda malware. For this October 2017 campaign, IBM said, the threat actors distributed the malware via malicious emails purporting to come from courier services like UPS. These fake emails, according to IBM, contain embedded links that lead the recipient to a site infected by Zeus Panda malware.
According to Proofpoint, the early version of Zeus Panda was also spread using web injects – a process by which cybercriminals intercept online banking traffic and modify banking sites on infected computers in order to carry out man-in-the-browser (MITB) attacks. In carrying out MITB attacks, threat actors infect a web browser to modify web pages of banks, online casinos and international online payment systems and modify the transaction content.
How to Prevent Zeus Panda Attacks
In order to prevent being a victim of the Zeus Panda malware, it’s important to think twice before clicking anything online and opening an email attachment. As shown by the new version of Zeus Panda, it’s important to remain discerning and vigilant in the results of a Google search.
Cisco researchers who discovered the new version of Zeus Panda said, “Having a sound, layered, defense-in-depth strategy in place will help ensure that organizations can respond to the constantly changing threat landscape.”
Steve E. Driz