R s a m o n t h ly f r a u d r e p o r t pandemiya emerges as new malware

page 1

R S A   M O N T H LY   F R A U D   R E P O R T

F R A U D   R E P O R T

PANDEMIYA EMERGES AS NEW MALWARE 

ALTERNATIVE TO ZEUS-BASED VARIANTS

June 2014

Pandemiya is a new commercial Trojan malware application that has recently been 

promoted in underground forums as a new alternative to more widely used Zeus Trojan 

and its variants. The fraudsters behind Pandemiya are currently advertising it for sale at 

a price of $1500 USD for the core application, or $2000 USD for the core application 

including plugins for additional functionality.

Pandemiya is designed to enable a botmaster to spy on an infected computer – secretly 

stealing form data, login credentials and files from the victim, as well as taking snapshots 

of the victim’s computer screen. This malware also allows the injection of fake pages into 

an internet browser in an effort to gather additional sensitive information from the 

victims themselves. 

Like many of the other Trojans we’ve seen of late, Pandemiya includes protective 

measures to encrypt the communication with the control panel, and prevent detection  

by automated network analyzers. An interesting aspect of the application is its modular 

design, which makes it quite easy to expand and add functionality.

Pandemiya’s coding quality is quite interesting, and contrary to recent trends in malware 

development, it is not based on Zeus source code at all, unlike Citadel/Ice IX, Carberp, 

etc. Through our research, we found out that the author of Pandemiya spent close to a 

year of coding the application, and that it consists of more than 25,000 lines of original 

code. It is also modular, allowing new features to be added by simply writing/creating 

new DLLs. This allows operators of the malware and other developers to create plugins 

that expand the application’s range of capabilities.

page 2

R S A   M O N T H LY   F R A U D   R E P O R T

PANDEMIYA FEATURES

Core Features: 

 

– Injects for the 3 leading internet browsers

 

– Grabbers for the 3 leading internet browsers

 

– Tasks 

 

– File Grabber 

 

– Loader (unique tasks & statistics) 

 

–  Signing of the botnet files to protect them from being hijacked by other fraudsters, and 

from being analyzed by security analysts or law enforcement.

 

–  Encrypted communication with the panel (dynamic content + URI - never the same 

request / data – a kind of bulletproofing against network analyzers) 

Additional Features (via plugins): 

 

– Reverse Proxy 

 

– FTP Stealer (with combination of an internal iFramer) 

 

– PE infector (for startup) 

Experimental Plugins (soon to be released/ integrated): 

 

– Reverse hidden RDP 

 

– Facebook spreader 

INFECTION AND INSTALLATION

As is typical with commercial Trojans, the infection and installation method is left up 

to the operator. Quite commonly, the infection uses an exploit pack that generates a 

drive-by exploit page that infects a PC the minute it lands on the web page.

The Pandemiya installer is a single *.EXE file that executes the following actions on the 

victim PC:

1. Moves itself to the All Users/Application Data user folder under a random name.

2. Adds a link to run the installer upon system start, using a new value in the registry key: 

  HKEY_LOCAL_USER\Software\Microsoft\Windows\CurrentVersion\Run

3. Places a DLL with a random name into: C:\Windows\System32 

  This DLL contains the full Trojan application.

4. Adds a registry value linking to the DLL inside the registry key: 

  

HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Session Manager\

AppCertDlls

That last step uses a not-so-well documented Windows security function – Windows will 

make every process run through the CreateProcess API, and load all of the DLLs under 

this registry key. Pandemiya makes use of this to inject itself into every new process that 

is initiated.

page 3

R S A   M O N T H LY   F R A U D   R E P O R T

The screenshot below is an example of how the Trojan writes the DLL to a file, loads it, 

and immediately calls the exported function named PluginRegisterCallbacks.

As a resilience measure, the Trojan DLL makes sure that Explorer.exe is injected with its 

code and re-injects itself when needed. This check is done every time the DLL is loaded, 

in other words – whenever a new process is initiated. 

System32 directory containing the new DLL created by Pandemiya

Note that the modification/creation date of this DLL is different from the date of all other 

DLLs in the System32 directory.

APPLICATION REMOVAL

Removal of the Pandemiya application is fairly simple: 

1.  Locate the registry key 

HKEY_LOCAL_USER\Software\Microsoft\Windows\CurrentVersion\Run 

and identify the *.EXE filename in your user’s ‘Application Data’ folder. 

Note the name, and delete the registry value.

page 4

R S A   M O N T H LY   F R A U D   R E P O R T

2.  Locate the registry key 

HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Session Manager\

AppCertDlls 

 Find the value with the same name as the *.EXE file in the previous step.  

Note the file name, and remove the value from the registry.

3.  Reboot the system. At this stage Pandemiya is installed but no longer running.

4.  Delete both files noted earlier. This will remove the last traces of the Trojan. 

The system is now clean.

CONCLUSION

The advent of a freshly coded new Trojan malware application is not too common in the 

underground. The design choice to make this malware modular and easy to expand upon 

with DLL plugins could make it more pervasive in the near future. However, the relatively 

high entry price or the anonymity of this application have so far prevented it from wide 

distribution. Only time will tell if its popularity rises. We’ll be keeping an eye on its 

development.

page 5

R S A   M O N T H LY   F R A U D   R E P O R T

Phishing Attacks per Month

RSA identified 38,992 phishing attacks in 

May, marking a 26% decrease from April’s 

attack numbers. Based on this figure,  

RSA estimates phishing cost global 

organizations $332 million in losses in May.

 

US Bank Types Attacked

U.S. regional banks have continued to see 

an increase in phishing over the past three 

months, targeted by about one out of every 

three phishing attacks.

Top Countries by Attack Volume

The U.S. remained the most targeted 

country in May with 73% of global  

phishing volume, followed by the UK,  

the Netherlands, and South Africa.

38,992 

 

Attacks

Credit Unions

Regional

National

73%

6%

3%

3%

Netherlands

South Africa

UK

U.S.

JUNE 2014

Source: RSA Anti-Fraud Command Center

www.emc.com/rsa

CONTACT US

To learn more about how RSA products, services, and solutions help solve your 

business and IT challenges contact your local representative or authorized reseller – 

or visit us at www.emc.com/rsa

Top Countries by Attacked Brands

U.S. brands remained the most affected 

by phishing in May, targeted by 30% of 

attacks. Brands in the UK, India, Italy, and 

Canada were collectively targeted by 25% 

of phishing attacks.

Top Hosting Countries

The number of phishing attacks hosted in 

the U.S. increased 8% – up to 42% in May. 

Germany continues to be the second top 

hosting country.

10

%

U.S.

UK

30%

4%

4%

7%

42%

GLOBAL PHISHING LOSSES

MAY 2014

©2014 EMC Corporation. EMC, RSA, the RSA logo, and FraudAction are trademarks or registered trademarks of EMC 

Corporation in the U.S. and/or other countries. All other trademarks mentioned are the property of their respective 

holders. JUNE RPT 0614