ZeuS Panda Trojan Spreads Through Google Search

The ingenuity of cyber criminals does not seem to stop, as every day they find more ways to infect multiple systems worldwide. The newest attack vector has the Zeus Panda Trojan enter target computers in multiple countries via corrupted Google Search results. This means that the people behind this infection are ready to go an extra mile to have their malware delivered. And it also means that users have to be more careful when they are about to click a search result link. It definitely translates into more stress, but it is always better to be safe than sorry.

What is Zeus Panda?

Zeus Panda did not appear out of nowhere. It has been a prominent Banking Trojan for many years. The main difference is that the criminals find more ways to infect systems with it, and it is the distribution methods that we should be the most aware of.

Of course, the most annoying part of the Zeus Panda infection is that the program does not have an interface. It means that when a computer gets infected with this Trojan, there is no way of telling whether you have this infection on-board or not unless you run a full system scan with a security application. So it means that the Trojan can be active on your system for quite a while before you detect it.

Zeus Panda is also notorious for being able to avoid detection and analysis. It checks for virtual environment and various analysis tools before running, so the Trojan makes sure that for most of the time it is launched on an actual system, rather than just a virtual machine.

Finally, the infection is very obvious about its origins because it does not infect a system if it detects that the device is based in Russia, Belarus, the Ukraine or Kazakhstan. The same applies, to the newest type of this Trojan that spreads via Google Search results. Computer security researchers say that upon the installation, Zeus Panda checks the keyboard mapping. And if the mapping matches any of the previously mentioned countries, the infection does not take place.

How does Zeus Panda use Google Search?

As mentioned, the newest wave of this banking Trojan infection employs Google Search results to spread around. So it does not really need to find target systems, the users find this infection themselves and “invite” it to their systems unwittingly.

This entire chain of infection starts with cyber criminals compromising legal websites. They corrupt legitimate pages and then embed their own content, ready to spread malware. When the site has been corrupted, cyber criminals make use of SEO (search engine optimization) techniques to make sure that their websites get to the first Google Search results page.

Now, what is SEO? SEO refers to a process of various actions that allows a website or a web page to become more visible among free search engine results. The practice takes into account how the search engine algorithms work, what users look for, what keywords are used the most often, and so on.

This Zeus Panda attack via Google Search results certainly takes into consideration the most frequently used keywords because security experts have found a list of keywords used by the infection to target a specific audience. The keywords, as reported by Cisco’s Talos Intelligence Group, include:

  • nordea Sweden bank account number
  • al rahji bank working hours during Ramadan
  • how many digits in karur vysya bank account number
  • free online books for bank clerk exam
  • how to cancel a cheque commonwealth bank
  • salary slip format in excel with formula free download
  • bank of baroda account balance check
  • sbi bank recurring deposit form

And many others. Judging from the keywords used in this scam, we can also tell which banks and which countries are targeted. For the most part, users in Sweden, India, Australia, and the Middle East (especially Saudi Arabia) should be more careful when they click search results about online banking. The banks or bank accounts that might be affected by this scam also include Nordea Sweden, Bank of Baroda, Axis Bank, State Bank of India, Al Rahji Bank, Commonwealth Bank of Australia, and so on.

Here you might ask, how is it possible for fake search results to rank that high on the results list when Google implements a lot of safety measures to avoid that? Computer security experts agree that Google’s constant effort to implement the use of “https” eventually has made it harder for cyber criminals to barge into the top of the search results. In order to do that, cyber criminals need to use encryption to bypass the “https” security and find out the necessary search listings. Albeit this kind of tactic requires a lot more time and effort, seeing how this Zeus Panda scam managed to use Google Search to infect users worldwide, we can tell that some criminals are ready to work harder to reach their objective.

How Does the Infection Take Place?

So now we know that this banking Trojan arrives through fake banking search results. When users click the corrupted link, it offers them to download an MS Word document. Supposedly, this document carries the information the users need. However, when that document is already on their computer, the users are urged to enable Macros. This is actually the first red flag because malicious infections (whether they come as MS Word or Excel files) often require enabled Macros to work. Hence, by enabling that function, users allow Zeus Panda Trojan to settle down on their computers.

As mentioned, it might take a long while before users notice that this malicious intruder entered their systems. The infection and its creators can use this time to steal as much sensitive data as possible. Computer security researchers maintain that regular system scans may help users detect such infections earlier. Also, careful web browsing habits should help users avoid similar intruders in the future. However, it should be pointed out that it might be hard to fight these inventive cyber criminals, so it is extremely important to keep sensitive banking data safe.


  1. Tim Berghoff. Analysis: ZeuS Panda. G Data Security Blog.
  2. Edmund Brumaghin, Earl Carter, Emmanuel Tacheau. Poisoning the Well: Banking Trojan Targets Google Search Results. Talos Intelligence.
  3. Jonathan Fairfield. Hackers are using Google Search results to spread dangerous banking Trojan. Thai Tech.
  4. Mark Mayne. Banking Trojan gang poisons Google results to spread malware: more comment. SC Magazine.
  5. Tom Spring. Poisoned Search Results Deliver Banking Malware. Threat Post.