Pandora
Pandora is a multistage kernel rootkit with backdoor functionality that has been in use by Threat Group-3390 since at least 2020.[1]
Techniques Used
| Domain | ID | Name | Use | |
|---|---|---|---|---|
| Enterprise | T1112 | 修改注册表 |
Pandora can write an encrypted token to the Registry to enable processing of remote commands.[1] |
|
| Enterprise | T1543 | .003 | 创建或修改系统进程: Windows Service |
Pandora has the ability to gain system privileges through Windows services.[1] |
| Enterprise | T1573 | .001 | 加密通道: Symmetric Cryptography |
Pandora has the ability to encrypt communications with D3DES.[1] |
| Enterprise | T1574 | .002 | 劫持执行流: DLL Side-Loading |
Pandora can use DLL side-loading to execute malicious payloads.[1] |
| Enterprise | T1071 | .001 | 应用层协议: Web Protocols | |
| Enterprise | T1068 | 权限提升漏洞利用 |
Pandora can use CVE-2017-15303 to bypass Windows Driver Signature Enforcement (DSE) protection and load its driver.[1] |
|
| Enterprise | T1205 | 流量激活 |
Pandora can identify if incoming HTTP traffic contains a token and if so it will intercept the traffic and process the received command.[1] |
|
| Enterprise | T1027 | 混淆文件或信息 | ||
| Enterprise | T1569 | .002 | 系统服务: Service Execution |
Pandora has the ability to install itself as a Windows service.[1] |
| Enterprise | T1105 | 输入工具传输 |
Pandora can load additional drivers and files onto a victim machine.[1] |
|
| Enterprise | T1057 | 进程发现 | ||
| Enterprise | T1055 | 进程注入 |
Pandora can start and inject code into a new |
|
| Enterprise | T1553 | .006 | 颠覆信任控制: Code Signing Policy Modification |
Pandora can use CVE-2017-15303 to disable Windows Driver Signature Enforcement (DSE) protection and load its driver.[1] |
Groups That Use This Software
| ID | Name | References |
|---|---|---|
| G1021 | Cinnamon Tempest | |
| G0027 | Threat Group-3390 |
References
- Lunghi, D. and Lu, K. (2021, April 9). Iron Tiger APT Updates Toolkit With Evolved SysUpdate Malware. Retrieved November 12, 2021.
- Microsoft. (2022, May 9). Ransomware as a service: Understanding the cybercrime gig economy and how to protect yourself. Retrieved March 10, 2023.
- Counter Threat Unit Research Team . (2022, June 23). BRONZE STARLIGHT RANSOMWARE OPERATIONS USE HUI LOADER. Retrieved December 7, 2023.