"As a web developer, I'm constantly monitoring and maintaining all of my websites and servers. It can be a time consuming and tedious task. We [Web Developers] study and execute these tasks for many reasons, One big one is to prevent hackers from using your website for their sketchy business."
Today's example; a criminal group that's been spreading a new version of the Zeus Panda banking Trojan.
Instead of relying on old techniques of malvertising and spam campaigns, this group has taken a novel approach, never before seen in the distribution of banking Trojans.
The group leveraged the favorable Google SERP (Search Engine Results Pages) ranking of the hacked sites to position these malicious pages at the top of Google search results for specific queries related to online banking and personal finances.
For example, a person searching for "al rajhi bank working hours in ramadan" would see a malicious link ranked at the top of Google search results.
Malware group combines SEO spam and malvertising
This tangled chain of URL re-directions is specific to malvertising campaigns that jolt users from sites running tainted ads to exploit kits, tech support scams, or a fake software updater.
The Zeus Panda group basically combined SEO spam botnets (made up of hacked sites hiding secret keywords that boost the SEO reputation of other sites) with a classic malvertising-to-exploit-kit redirection chain.
The Word document users got would be identical to the one someone would get if they received it via a spam email. The only difference would be how they got it, but not what was inside.
Group pushed new Zeus Panda banking Trojan version
The Word file still relies on users enabling macro execution, which starts a series of hidden scripts that install a new variant of the Zeus Panda banking Trojan, previously analyzed by the G Data crew here.
Cisco Talos — who discovered this hybrid SEO-malvertising Zeus Panda distribution campaign taking place over the summer — has also released a report with technical details about the distribution campaign, the Google search queries for which malicious pages showed up, and extra details on the new Zeus Panda variant.
"The overall configuration and operation of the infrastructure used to distribute this malware was interesting as it did not rely on distribution methods that Talos regularly sees being used for the distribution of malware," Talos wrote in its report. "This is another example of how attackers regularly refine and change their techniques and illustrates why ongoing consumption of threat intelligence is essential for ensuring that organizations remain protected against new threats over time."