11 Jun 2014
A new banking Trojan nicknamed Pandemiya is being promoted in hacker forums and underground online markets as an alternative to the infamous Zeus, according to an RSA blog post. The source code, which includes 25,000 lines of original code written in C language, is retailed at around $1,500, the RSA Security’s Fraud Action team says.
“Pandemiya’s coding quality is quite interesting, and contrary to recent trends in malware development, it is not based on Zeus source code at all, unlike Citadel/Ice IX, etc.,” RSA researchers said.
Pandemiya boasts the core features of known banking malware: a file grabber, encrypted communications with the control panel, and sign-off functionality to prevent analysis from network analyzer tools. Additional plug-ins are available for an extra $500 and include a reverse proxy, FTP stealer and portable executable (PE) infector to inject the malware at startup.
The Trojan is meant to collect and steal traffic data as well as credentials entered when authenticating on HTTP pages. It can also take screenshots of the victim’s computer screen or inject spoofed webpages requesting sensitive data.
Pandemiya can also load external plugin DLLs, allowing new features to be added quickly and expand the application’s capabilities.
"The advent of a freshly coded new Trojan malware application is not too common in the underground. The design choice to make this malware modular and easy to expand upon with DLL plugins could make it more pervasive in the near future,” the study says.