A new threat actor named "Panda" has generated thousands of dollars worth of the Monero cryptocurrency through the use of remote access tools (RATs) and illicit cryptocurrency-mining malware, shows a new report from Cisco’s Talos threat research team.
While not highly sophisticated, the Panda group is considered one of the most active attackers on today’s cybercriminal scene. The main focus of the group lies in exploitation vulnerable web applications worldwide using RATs and tools, including exploits previously used by Shadow Brokers (infamous group which is known for publishing information from the National Security Agency) and credential-dumping tool Mimikatz that allow it to traverse throughout networks for cryptocurrency mining and data theft purposes.
First reports on group’s activity began to emerge in the summer of 2018 when Panda launched widespread "MassMiner" campaign. Shortly thereafter, the group has been linked by the researchers to another widespread mining campaign with a different set of command and control (C2) servers. Panda has since updated not only the infrastructure, but also its arsenal of exploits and payloads. According to Cisco’s Talos, a list of Panda’s targets includes organizations in the banking, healthcare, transportation, telecommunications, and IT services industries.
In July of 2018, the group was observed exploiting a WebLogic vulnerability (CVE-2017-10271) to drop a miner that was associated with a "MassMiner" campaign. Panda used massscan to look for a variety of different vulnerable servers and then exploited several different vulnerabilities, including the aforementioned Oracle bug and a remote code execution vulnerability in Apache Struts 2 (CVE-2017-5638). A PowerShell post-exploit was used to download a miner payload called "downloader.exe," which was then saved in the TEMP folder under a simple number filename such as "13.exe".
“In all, we estimate that Panda has amassed an amount of Monero that is currently valued at roughly $100,000,” the researchers said.
The Panda threat group was also observed using Gh0st RAT and other hacking tools and exploits, such as the credential-theft tool Mimikatz and UPX-packed artifacts related to the Equation Group set of exploits.
In January of 2019, the group added a new twist to its campaigns by exploiting the vulnerability in the ThinkPHP web framework (CNVD-2018-24942) in order to spread similar malware. In March 2019, the threat actor updated its infrastructure, although tactics, techniques, and procedures (TTPs) remained the same.
Shortly after, Panda began leveraging an updated payload, which used Certutil tool to download the secondary miner payload. In June, Panda began targeting a newer WebLogic vulnerability, CVE-2019-2725, but didn’t change its TTPs.
Over the past month, Panda has switched to a new C2 and payload-hosting infrastructure, but hasn’t updated payload, which is relatively similar to the one it began using in May 2019. The sample also includes Panda's usual lateral movement modules that include Shadow Brokers' exploits and Mimikatz. In August, the attackers added another set of domains to their inventory, the researchers said
“Panda remains one of the most consistent actors engaging in illicit mining attacks and frequently shifts the infrastructure used in their attacks. They also frequently update their targeting, using a variety of exploits to target multiple vulnerabilities, and is quick to start exploiting known vulnerabilities shortly after public POCs become available, becoming a menace to anyone slow to patch,” Talos team warned.