Monero-mining Panda threat group resurfaces as Cisco’s Talos research team identify latest attack

The Panda threat group responsible for the “MassMiner” cryptomining malware attack in 2018, has resurfaced. The Monero mining group make use of remote access tools (RATs) and various other crypto-mining malwares to access and exploit vulnerable computers for mining cryptocurrencies. The group’s methodology was not considered to be among the most sophisticated ones. However, the group has now updated its infrastructure to exploit new security vulnerabilities over time.

According to a recent study conducted by Cisco’s Talos research team, the Panda threat group has resurfaced and its latest attack was as recent as August 2019. Researchers at the firm, Christopher Evans and David Liebenberg, stated,

“Panda’s willingness to persistently exploit vulnerable web applications worldwide, their tools allowing them to traverse throughout networks, and their use of RATs, means that organizations worldwide are at risk of having their system resources misused for mining purposes or worse, such as exfiltration of valuable information.”

The group has been known to exploit organizations in banking, healthcare, transportation, and IT services, netting about $100,000 in Monero as of now. The research also found that the Panda group uses the same exploits as previously used by Shadow Broker, a group infamous for publishing information from the National Security Agency.

The Evolution of Panda threat group

The Panda group came under the radar due to its infamous ‘MassMiner’ campaign in 2018, where it used MassScan, a malware used for port scanning and finding the various vulnerabilities in servers to exploit. Once a threat was detected, the group would then install a malware which starts mining Monero on the target computer.

Researchers at Talco said that even though the threat group has updated its payload several times along with selecting new vulnerability targets, it has done little to change its tactics. Evans explained,

“They attempt to hide their miners using the exact same popular techniques we see with other groups, Their infrastructure is predictable: I can usually peg a new Panda domain as soon as I see it in the data; they tend to just be iterations of each other.”

Evans also suggested several ways to detect mining activity on one’s computer. He said,

“There are several ways to detect mining activity but let’s focus on the simple solutions of patching and basic security controls. If you’re running a web-accessible WebLogic server that hasn’t been patched against vulnerabilities like CVE-2017-10271, it’s likely they have at least targeted the system for exploitation if not actually dropped a miner on it… In addition, if you don’t need it open to the Internet, take it off.”