On September 19, 2019, Cisco Talos Intelligence Group researchers found out that Panda is the illegal crypto-miners behind the theft of Cryptocurrency worth $90,000. 
According to the research, the group was successful by using unauthorized mining malware and remote access tools (RATs). Apparently, their criteria did not rely entirely on software sophistication. Instead, it is reported that they relied on their software consistency in willingness to exploit weak points in web applications around the world. 

The research indicates that by October 2018, web applications’ users around the world have downloaded Panda’s malware configuration file more than 300,000 times.
<h2> Cisco Talos Intelligence Group Research on Panda’s Evolution</h2>
Cisco Talos first detected crypto-miners in2018 during the <a href="https://www.alienvault.com/blogs/labs-research/massminer-malware-targeting-web-servers">Mass Miner</a> campaign that was a discovery of Cryptocurrency mining malware, which attacks web servers using multiple exploits. The malware compromises a target and immediately tries to spread to other computers on the local network and propagate itself onto the internet.

Mass miner spreads through <a href="https://www.cryptoknowmics.com/crypto/fortnight-gamer-beware-of-syrk-crypto-stealing-ransomware/">different exploits</a> and brute force access to Microsoft SQL Servers. In 2018, such Panda RATs attacked Microsoft SQL servers in an attempt to mine Monero Cryptocurrency (XMR).

Panda has now updated its infrastructure to <a href="https://github.com/gentilkiwi/mimikatz">Mimikatz</a> open-source dumping application. They use it to compromise computer systems and steal information like passwords and usernames. Cisco Talos firm<a href="https://blog.talosintelligence.com/2019/09/panda-evolution.html"> stated</a>:
<blockquote>“They also frequently update their targeting; using a variety of exploits to target multiple vulnerabilities, and is quick to start exploiting known vulnerabilities shortly after public POCs become available, becoming a menace to anyone slow to patch.”</blockquote>
In their report, Talos says that Panda has attacked institutions in banking, healthcare, telecommunication, transportation, and information technology.
<h2>Panda Crypto-Miners Suspected to Be of Chinese Origin </h2>
First, the name, Talos said, gives a slight insight. The hackers behind the malware do not seem concerned about operational security. Talos linked a Chinese actor’s, called Panda, registered domain to that the Panda crew once used. 

The firm stated:
<blockquote>“Panda’s operational security remains poor, with many of their old and current domains all hosted on the same IP and their TTP remaining relatively similar throughout campaigns.” </blockquote>
Talos went on and reiterated that the payloads were not very sophisticated. 

The research team also analyzed a sample of the malware and found out that its IP address and location are from Chinese origins.

The most informative clue was the thehinkPHP web framework that was exploited by Panda to spread its malware. The software is reportedly prevalent in china.
<h2>Panda’s Exploits</h2>
Over the past month, research shows that Panda crypto-miners had perfomed an update of its payload-hosting infrastructure, but malware is still similar to the one they used in May 2019.

In August 2019, Talos observed the appearance of a new C2 payload-infrastructure on Panda. And in March 2019, Panda upgraded their entire infrastructures including subdomains. Then on Jan 2019, it is when Panda started to exploit the vulnerability in the ThinkPHP framework and used it to spread miners.

Global Nightmare for Organizations: Cyber Security Group Discovers Panda Illegal Crypto-Miners

Am Wayne, a Blockchain enthusiast and expert in crypto trading. Currently, I cover trendy issues on digital currencies.

Global Nightmare for Organizations: Cyber Security Group Discovers Panda Illegal Crypto-Miners

Top Picks