The Panda threat group responsible for the “MassMiner” cryptomining malware attack in 2018, has resurfaced. The Monero mining group make use of remote access tools (RATs) and various other crypto-mining malwares to access and exploit vulnerable computers for mining cryptocurrencies. The group’s methodology was not considered to be among the most sophisticated ones. However, the group has now updated its infrastructure to exploit new security vulnerabilities over time.
According to a recent study conducted by Cisco’s Talos research team, the Panda threat group has resurfaced and its latest attack was as recent as August 2019. Researchers at the firm, Christopher Evans and David Liebenberg, stated,
“Panda’s willingness to persistently exploit vulnerable web applications worldwide, their tools allowing them to traverse throughout networks, and their use of RATs, means that organizations worldwide are at risk of having their system resources misused for mining purposes or worse, such as exfiltration of valuable information.”
The group has been known to exploit organizations in banking, healthcare, transportation, and IT services, netting about $100,000 in Monero as of now. The research also found that the Panda group uses the same exploits as previously used by Shadow Broker, a group infamous for publishing information from the National Security Agency.
The Evolution of Panda threat group
The Panda group came under the radar due to its infamous ‘MassMiner’ campaign in 2018, where it used MassScan, a malware used for port scanning and finding the various vulnerabilities in servers to exploit. Once a threat was detected, the group would then install a malware which starts mining Monero on the target computer.
Researchers at Talco said that even though the threat group has updated its payload several times along with selecting new vulnerability targets, it has done little to change its tactics.