Banking malware and trojans are malicious software designed to steal sensitive financial information from users. Once installed, these Trojans can employ techniques such as keylogging and screen overlays to collect information secretly.
Cybersecurity analysts at Cleafy recently discovered “ToxicPanda” banking malware has been actively attacking banking users to steal logins.
In October 2024 it’s been discovered that “ToxicPanda” has evolved from “TgToxic” but with distinct code modifications.
Build an in-house SOC or outsource SOC-as-a-Service -> Calculate Costs
ToxicPanda Banking Malware
To conduct ATO attacks, this RAT exploits the Android device’s accessibility services via “ODF” techniques, which enable the threat actors to control infected devices remotely.
The key capabilities of the malware offers:-
- Intercepting One-Time Passwords (OTPs)
- Bypassing two-factor authentication (2FA)
- Using obfuscation methods to avoid detection
What makes “ToxicPanda” notable is its “Chinese-speaking operators’ unusual expansion” into ‘European’ and ‘Latin American’ banking fraud.
More than 1500 infected devices were documented, and among them over 50% were in ‘Italy,’ followed by ‘Portugal,’ ‘Spain,’ ‘France,’ and ‘Peru.’
Infection percentages are:-
- Italy (56.8%)
- Portugal (18.7%)
- Hong Kong (4.6%)
- Spain (3.9%)
- Peru (3.4%)
The malware’s infrastructure reveals sophisticated features like “SMS interception,” “remote device control,” and the ability to “handle fraudulent transactions up to €10,000” via instant payments.
Moreover, it lacks “ATS” capabilities and shows “reduced obfuscation routines.” This indicates the adoption of harder banking regulations like “PSD2” in new target regions.
.webp "ToxicPanda Banking Malware Attacking Banking Users To Steal Logins 2")
It also uses a combination of “legitimate-looking icons” from known brands like Google Chrome and VISA to trick users. The distribution depends on “side-loading” via “social engineering.” For communication, its C2 infrastructure employs Chinese DNS services (“114DNS”).
The ToxicPanda Android banking trojan employs a straightforward C2 communication structure using the following three hard-coded domains:-
- dksu[.]top
- mixcom[.]one
- freebasic[.]cn
Its infrastructure operates via a ‘Machine Management’ interface that monitors compromised devices’ status.
The malware initiates communication by sending HTTPS requests with a “ctrl” subdomain prefix which is followed by “WebSocket protocol” implementation for persistent bidirectional communication, reads Cleafy report.
It implements “AES encryption” for security in “Electronic Codebook” (‘ECB’) mode with a hard-coded encryption key (‘0623U2SKT3YY3QB9P’).
.webp "ToxicPanda Banking Malware Attacking Banking Users To Steal Logins 3")
The botnet’s command panel is operated by a Chinese-speaking threat actor group that enables “real-time remote access” to infected devices for fraudulent transactions.
ToxicPanda lacks sophisticated features like “DGA” as it maintains operational effectiveness via its “setCommandStyle command.”
This enables it to perform remote C2 domain modification. Each infected device undergoes a “login” process by transmitting a unique “Device ID” to the C2 server for “botnet registration” and “monitoring.”
After this, the server can issue specific commands based on the “fraud campaign’s objectives.” The malware’s simple architecture suggests that it is either in the “early development stages” or “code modification.”
Run private, Real-time Malware Analysis in both Windows & Linux VMs. Get a 14-day free trial with ANY.RUN!