‘Panda’ hackers use RATs, malware to amass cryptocurrency

Getting your Trinity Audio player ready...

A cryptocurrency hacking crew known as Panda has been identified by cybersecurity researchers, reported to be amongst the most prolific originators of crypto attacks.

The group is thought to have built up an arsenal of $90,000 worth of cryptocurrency, gained from the use of undetected mining malware and so-called remote access tools (RATs). While the group is seen by researchers as comparatively unsophisticated in their approach, Panda has been active over a number of years, according to the research conducted by Cisco Talos Intelligence Group.

Highlighted in their research is Panda’s reliance on exploiting vulnerable web apps, which had resulted in over 300,000 downloads of the malware by October 2018.

According to the firm, the group has been exploiting those slow to patch web apps with security updates, a technique they have been deploying continuously for maximum effect.

They also frequently update their targeting, using a variety of exploits to target multiple vulnerabilities, and is quick to start exploiting known vulnerabilities shortly after public POCs become available, becoming a menace to anyone slow to patch.

The group first came to light in 2018, after its successful MassMiner campaign was detected as a malicious cryptocurrency mining script, mining alternative cryptocurrency Monero (XMR).

Since then, the group has shifted to greater reliance on Mimikatz, a script which allows them to harvest sensitive information such as usernames and passwords. According to Talos research, Panda has been active across a range of industries, including targets in banking, transportation, telecommunications, IT services and healthcare.

There are suspicions that the mysterious group could be Chinese origin, named after a domain belonging to the group which itself was registered to a Chinese actor.

IP matching also points towards China, with the group seemingly unconcerned about going to lengths to conceal their identity. Researchers have even identified the type of web framework used to spread the attacks, which is especially popular in China.

“Panda’s operational security remains poor, with many of their old and current domains all hosted on the same IP and their TTPs remaining relatively similar throughout campaigns. The payloads themselves are also not very sophisticated,” according to the research.

The identification of Panda serves as a reminder of the dangers posed by scammers and cryptocurrency mining scripts in exploiting loopholes in web apps for profit. With at least hundreds of thousands potentially affected, Panda looks to be one of the leading sources of crypto mining scams.