Global Nightmare for Organizations: Cyber Security Group Discovers Panda Illegal Crypto-Miners
On September 19, 2019, Cisco Talos Intelligence Group researchers found out that Panda is the illegal crypto-miners behind the theft of Cryptocurrency worth $90,000.According to the research, the group was successful by using unauthorized mining malware and remote access tools (RATs). Apparently, their criteria did not rely entirely on software sophistication. Instead, it is reported that they relied on their software consistency in willingness to exploit weak points in web applications around the world. The research indicates that by October 2018, web applications’ users around the world have downloaded Panda’s malware configuration file more than 300,000 times.
Cisco Talos Intelligence Group Research on Panda’s EvolutionCisco Talos first detected crypto-miners in2018 during the Mass Miner campaign that was a discovery of Cryptocurrency mining malware, which attacks web servers using multiple exploits. The malware compromises a target and immediately tries to spread to other computers on the local network and propagate itself onto the internet.
Mass miner spreads through different exploits and brute force access to Microsoft SQL Servers. In 2018, such Panda RATs attacked Microsoft SQL servers in an attempt to mine Monero Cryptocurrency (XMR).
Panda has now updated its infrastructure to Mimikatz open-source dumping application. They use it to compromise computer systems and steal information like passwords and usernames. Cisco Talos firm stated:
“They also frequently update their targeting; using a variety of exploits to target multiple vulnerabilities, and is quick to start exploiting known vulnerabilities shortly after public POCs become available, becoming a menace to anyone slow to patch.”In their report, Talos says that Panda has attacked institutions in banking, healthcare, telecommunication, transportation, and information technology.
Panda Crypto-Miners Suspected to Be of Chinese OriginFirst, the name, Talos said, gives a slight insight. The hackers behind the malware do not seem concerned about operational security. Talos linked a Chinese actor’s, called Panda, registered domain to that the Panda crew once used. The firm stated:
“Panda’s operational security remains poor, with many of their old and current domains all hosted on the same IP and their TTP remaining relatively similar throughout campaigns.”Talos went on and reiterated that the payloads were not very sophisticated. The research team also analyzed a sample of the malware and found out that its IP address and location are from Chinese origins.
The most informative clue was the thehinkPHP web framework that was exploited by Panda to spread its malware. The software is reportedly prevalent in china.
Panda’s ExploitsOver the past month, research shows that Panda crypto-miners had perfomed an update of its payload-hosting infrastructure, but malware is still similar to the one they used in May 2019.
In August 2019, Talos observed the appearance of a new C2 payload-infrastructure on Panda. And in March 2019, Panda upgraded their entire infrastructures including subdomains. Then on Jan 2019, it is when Panda started to exploit the vulnerability in the ThinkPHP framework and used it to spread miners.
About The Author
Wayne JonesAm Wayne, a Blockchain enthusiast and expert in crypto trading. Currently, I cover trendy issues on digital currencies.
Ethereum Classic Inks Deal With Chainlink On ...Jyoti Singh 09:33 AM 28 Feb 2020
Kaspersky Launches a Blockchain-Based Voting ...Zain Raza 09:22 AM 28 Feb 2020
Japan's LINE Closed BITBOX in Singapore, laun...Tarulika Jain 13:33 PM 28 Feb 2020
Roger Ver Strikes Hard On Bitcoin Maximalists...Shailesh Panwar 08:00 AM 28 Feb 2020
Jiang Zhuoer- Bitcoin Halving Would Lead to a...Zain Raza 07:21 AM 28 Feb 2020
OKEx and Bitfinex Crypto Exchanges Hit By DDo...Tarulika Jain 11:35 AM 28 Feb 2020
Litecoin begins its surge, short-lived rally ...Nick Leeson 10:49 AM 28 Feb 2020
After Bitcoin SV's 25% collapse it is safe to...Nick Leeson 05:24 AM 28 Feb 2020
Ransomware Swallows Up $140 Million, Accordin...Tarulika Jain 09:12 AM 28 Feb 2020
Tether Confronts Against “Consolidated Comp...Tarulika Jain 07:45 AM 28 Feb 2020