'Panda' Group Makes Thousands of Dollars Using RATs, Crypto-Miners

A new threat actor has generated thousands of dollars in the Monero cryptocurrency using remote access tools (RATs) and illicit cryptocurrency mining malware, Cisco’s Talos threat intelligence and research group revealed on Tuesday.


Although not highly sophisticated, the actor, which Talos refers to as Panda, is highly active, focused on persistently exploiting vulnerable web applications worldwide. The actor’s tools allow it to traverse networks, while the use of RATs also puts organizations at risk of data theft.


The group is capable of updating its infrastructure and exploits on the fly and relies on exploits released by Shadow Brokers for infiltration, as well as the open-source credential-dumping application Mimikatz.


Initially associated with last year’s MassMiner campaign, the threat actor was shortly after linked to another widespread mining campaign that used a different set of command and control (C&C) servers. Panda has since updated not only the infrastructure, but also its portfolio of exploits and payloads.


The cybercriminals, Talos’ security researchers say, have been observed targeting organizations in multiple industries, including those in the banking, healthcare, transportation, telecommunications, and IT services sectors.


In July 2018, the actor was exploiting a WebLogic vulnerability (CVE-2017-10271) to drop a miner associated with MassMiner. The hackers were mass-scanning for vulnerable servers and also attempted to exploit an Apache Struts 2 vulnerability (C ..