Pandora

DEV-0401 differs from many of the attackers who rely on purchasing access to existing malware implants or exposed RDP to enter a network. Instead, the group heavily utilizes unpatched vulnerabilities to access networks, including vulnerabilities in Exchange, Manage Engine AdSelfService Plus, Confluence, and Log4j 2.

Upon execution, CatB payloads rely on DLL search order hijacking to drop and load the malicious payload. The dropper (versions.dll) drops the payload (oci.dll) into the System32 directory.

The content repeatedly describes threat actors and malware modifying, creating, deleting, or storing data in Windows Registry keys and values for persistence, configuration storage, defense evasion, credential access, privilege escalation, and execution. | Many malware families store configuration, payloads, encryption keys, C2 addresses, or other operational data in Registry keys, such as QakBot storing configuration in a randomly named subkey under HKCU\Software\Microsoft and PolyglotDuke writing encrypted JSON configuration files to the Registry.

Depending on the privileges of the process, the malware will add a value to the “Software\Microsoft\Windows\CurrentVersion\Run” key, or it will create a service that runs the malware at boot time.

The content repeatedly describes malware and threat actors injecting shellcode, DLLs, or payloads into legitimate processes such as svchost.exe, explorer.exe, iexplore.exe, cmd.exe, lsass.exe, and browser processes.

GuLoader has the ability to inject shellcode into a donor processes that is started in a suspended state. GuLoader has previously used RegAsm as a donor process. Cardinal RAT injects into a newly spawned process created from a native Windows executable.

Utilizes a known vulnerability (CPU-Z CVE-2017-15303) that allows it to read and write into physical memory and read CPU control registers to turn the DSE off.

Depending on the privileges of the process, the malware will add a value to the “Software\Microsoft\Windows\CurrentVersion\Run” key, or it will create a service that runs the malware at boot time.

On two occasions (in March and October 2020), we found a kernel rootkit that had been deployed... The rootkit has multiple stages before getting to the actual payload.

"Action RAT's commands, strings, and domains can be Base64 encoded within the payload." / "ADVSTORESHELL... strings... encrypted with an XOR-based algorithm; some strings are also encrypted with 3DES and reversed." / "APT29 has used encoded PowerShell commands." / "APT41 used VMProtected binaries..."

Examples include: “ComRAT has encrypted and stored its orchestrator code in the Registry…”, “ShadowPad maintains a configuration block and virtual file system in the Registry.”, and “QakBot can store its configuration information…under HKCU\Software\Microsoft.”

The launcher starts by instantiating the CLoadInfo object... Directory to copy all files %PROGRAMDATA%\Test\ ... Name of the legitimate executable dlpumgr32.exe ... Lastly, the launcher starts a suspended process with the command line “C:\Windows\system32\svchost.exe -k LocalServices,”and injects the appropriate shellcode into it.

The content repeatedly describes malware and threat actors injecting shellcode, DLLs, or payloads into legitimate processes such as svchost.exe, explorer.exe, iexplore.exe, cmd.exe, lsass.exe, and browser processes.

GuLoader has the ability to inject shellcode into a donor processes that is started in a suspended state. GuLoader has previously used RegAsm as a donor process. Cardinal RAT injects into a newly spawned process created from a native Windows executable.

The version we found is slightly different — the driver isn’t digitally signed but instead utilizes a known exploit to bypass Windows Driver Signature Enforcement (DSE) protection and load the driver directly into the system.

The CreationTime, LastWriteTime, and LastAccessTime will be updated according to the C:\Windows\system32\kernel32.dll file and their file attributes will be set to “hidden” and “system”.

Upon execution, CatB payloads rely on DLL search order hijacking to drop and load the malicious payload. The dropper (versions.dll) drops the payload (oci.dll) into the System32 directory.

The content repeatedly describes threat actors and malware modifying, creating, deleting, or storing data in Windows Registry keys and values for persistence, configuration storage, defense evasion, credential access, privilege escalation, and execution. | Many malware families store configuration, payloads, encryption keys, C2 addresses, or other operational data in Registry keys, such as QakBot storing configuration in a randomly named subkey under HKCU\Software\Microsoft and PolyglotDuke writing encrypted JSON configuration files to the Registry.

Pandora can use CVE-2017-15303 to bypass Windows Driver Signature Enforcement (DSE) protection and load its driver.

Registers WPF callback and filters incoming traffic with a predefined token... If the incoming traffic contains a token and is in the HTTP format, the backdoor will intercept the traffic and process the command.

Registers WPF callback and filters incoming traffic with a predefined token... If the incoming traffic contains a token and is in the HTTP format, the backdoor will intercept the traffic and process the command.

The content repeatedly describes malware and threat actors obtaining lists of running processes, using utilities such as tasklist, ps, WMI, Get-Process, CreateToolhelp32Snapshot, EnumProcesses, and similar APIs/commands to enumerate active processes on victim systems.

The content repeatedly describes threat actors and malware using HTTP and HTTPS for command and control, such as: "Sandworm Team used BlackEnergy to communicate between compromised hosts and their command-and-control servers via HTTP post requests."

The tool is used to hide the threat actors’ tools and services... file management functions (such as search, delete, move, upload, and download)

Attackers move directly to deploying ransomware by editing a Group Policy.