Cryptocurrency News

Web’s Most Active Crypto Hacking Crew, Panda, Found to Have Originated from China


The security stalwarts of cryptocurrency have discovered a hacking group that operates by the name “Panda” and has reported to have stolen around $90,000 worth of cryptocurrency. The hackings have been accomplished through remote access tools, RATs along with illegal mining malware. The crew is believed by the researchers to have originated from China.

Analysis of a malware sample had also requested data through a geolocation service based on IP addresses that gave machine’s IP and its roots in China.

Talos analysts also discovered exploitation of a weak point in the web system, ThinkPHP to proliferate its malware. The software is known to have been famous in China.

Talos Intelligence Group from Cisco informed that the group, however, does not seem much advanced but has been very actively carrying out its operations of hacking the prominent cryptocurrency transactions and exchanges. It has been reported to have already attacked firms in the banking, telecom, transportation, IT services, along with healthcare sectors.

Talos professionals also stated that the group is constantly trying to infiltrate the blockchain entities on the lookout for loopholes in the security walls of global web apps to ultimately succeed in its endeavors. In October 2018, researchers reported that a configuration file was downloaded from the Panda malware, over 300,000 times. Researchers also said that the group works on exploits that were earlier employed by a crew that became infamous for stealing and publishing data from Nation Security Agency, US called Shadow Brokers.

The firm said in a statement,

They also frequently update their targeting, using a variety of exploits to target multiple vulnerabilities, and is quick to start exploiting known vulnerabilities shortly after public POCs become available, becoming a menace to anyone slow to patch.”

Panda operates in the form of malware and has a sea of RATs as well as some other robust tools to summon the hackings.

First seen and investigated in the mid of the year 2018, it was believed to have been embedded with a virus that exploited multiple in-build break-in points. This was during the time when “MassMiner” campaign was known for its full momentum. It even had gained access to servers Microsoft SQL through brute-force technique in order to mine the Monero (XMR), an alternative digital currency.

Today, Panda utilizes an open-source software called Mimikatz, to steal sensitive data from vulnerable systems, and gain access to usernames and passwords of the users.

The researchers also implied the group’s non-inclination towards operational security as its name is linked to a domain that is registered under the name of a Mandarin-speaking actor that operated by the name “Panda.”

The firm said that

Panda’s operational security remains poor, with many of their old and current domains all hosted on the same IP and their TTPs remaining relatively similar throughout campaigns. The payloads themselves are also not very sophisticated.

Leave a Comment

Your email address will not be published.

You may also like