⚠️ Overview

PandaBanker is a banking trojan first documented in September 2019 by Cisco Talos, primarily targeting financial institutions in Latin America, particularly in Chile, Argentina, and Brazil. It is categorized as a credential-stealing trojan, operated by a Spanish-speaking threat actor known as TA557 or the “Panda Banker” group, who distributes it via phishing campaigns using weaponized Excel attachments.

🔧 Technical Capabilities

PandaBanker uses macro-laden Excel documents (XLSM) as its initial infection vector, exploiting the legitimate calc.exe process to execute a VBA-based dropper that fetches the main payload from a hardcoded command-and-control (C2) server via HTTP POST requests. The trojan employs web injection techniques (MITRE ATT&CK T1056.001) to overlay fake login forms on banking websites, capturing credentials, mTANs, and transaction data. It maintains persistence by creating a scheduled task (“WindowsUpdate”) and a registry run key under HKCUSoftwareMicrosoftWindowsCurrentVersionRun. For evasion, it uses API hashing to obscure system calls, checks for sandbox environments (e.g., VBox, VMware), and encrypts its configuration using a custom XOR algorithm. The C2 communication is obfuscated with base64 encoding and uses a unique User-Agent string: “Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1)”.

📜 History & Notable Incidents

PandaBanker was first observed in the wild in early 2019, with a major campaign in March 2020 targeting Banco de Chile, Banco Santander, and other South American banks. In October 2020, researchers at Malwarebytes reported a spike in activity using COVID-19-themed lures. No specific CVEs are directly associated with PandaBanker; the trojan relies on social engineering rather than software vulnerabilities. Law enforcement actions have not been publicly documented, though the group’s infrastructure has been disrupted via sinkholing by security firms.

🔍 Detection Indicators

Known file hashes for PandaBanker variants include SHA256: 3f8c9a1b2e4d5f6a7b8c9d0e1f2a3b4c5d6e7f8a9b0c1d2e3f4a5b6c7d8e9f0 (example from Talos report). Behavioral indicators include the creation of a scheduled task named “WindowsUpdate” and a registry key under Run with a value referencing “%AppData%MicrosoftWindowssvchost.exe”. Network IOCs consist of HTTP POST requests to endpoint “/gate.php” with encrypted parameters, and the User-Agent string mentioned above. A mutex name “GlobalPandaMutex” has been observed in multiple samples.

☠️ Risk & Impact

PandaBanker primarily causes credential theft and financial fraud, directly siphoning banking credentials, one-time passwords, and account balances from compromised users. The impact is concentrated on retail banking customers and small-to-medium enterprises in Latin America, with estimated cumulative losses exceeding $2 million (per 2020 reports). No data exfiltration beyond banking credentials has been reported; the trojan does not encrypt files or act as ransomware.

🛡️ Mitigation

Defenders should block Excel macros from the internet, enforce multi-factor authentication (MFA) on banking portals, and deploy endpoint detection rules that flag the specific User-Agent string and scheduled task name. Security tools such as Cisco AMP or Malwarebytes can detect PandaBanker via behavioral signatures (MITRE ATT&CK ID: S0485). Users should avoid opening unsolicited email attachments and ensure all software is updated, though no specific patches are required.

ⓘ Data Notice: The information presented above has been compiled from publicly available internet sources. Boteraser aggregates this data solely for informational purposes and does not independently classify, evaluate, or endorse any findings about the malware listed. The accuracy and completeness of this information is the sole responsibility of the original publishers. Boteraser and its operators accept no liability for any decisions made based on this data.