1. Home
  2. Software
  3. Pandora

Pandora

Pandora is a multistage kernel rootkit with backdoor functionality that has been in use by Threat Group-3390 since at least 2020.[1]

ID: S0664
Type: MALWARE
Platforms: Windows
Version: 1.0
Created: 29 November 2021
Last Modified: 15 April 2022
Version Permalink
Enterprise Layer
download view

Techniques Used

Domain ID Name Use
Enterprise T1071 .001 Application Layer Protocol: Web Protocols

Pandora can communicate over HTTP.[1]
Enterprise T1543 .003 Create or Modify System Process: Windows Service

Pandora has the ability to gain system privileges through Windows services.[1]
Enterprise T1573 .001 Encrypted Channel: Symmetric Cryptography

Pandora has the ability to encrypt communications with D3DES.[1]
Enterprise T1068 Exploitation for Privilege Escalation

Pandora can use CVE-2017-15303 to bypass Windows Driver Signature Enforcement (DSE) protection and load its driver.[1]
Enterprise T1574 .002 Hijack Execution Flow: DLL Side-Loading

Pandora can use DLL side-loading to execute malicious payloads.[1]
Enterprise T1105 Ingress Tool Transfer

Pandora can load additional drivers and files onto a victim machine.[1]
Enterprise T1112 Modify Registry

Pandora can write an encrypted token to the Registry to enable processing of remote commands.[1]
Enterprise T1027 Obfuscated Files or Information

Pandora has the ability to compress stings with QuickLZ.[1]
Enterprise T1057 Process Discovery

Pandora can monitor processes on a compromised host.[1]
Enterprise T1055 Process Injection

Pandora can start and inject code into a new svchost process.[1]
Enterprise T1553 .006 Subvert Trust Controls: Code Signing Policy Modification

Pandora can use CVE-2017-15303 to disable Windows Driver Signature Enforcement (DSE) protection and load its driver.[1]
Enterprise T1569 .002 System Services: Service Execution

Pandora has the ability to install itself as a Windows service.[1]
Enterprise T1205 Traffic Signaling

Pandora can identify if incoming HTTP traffic contains a token and if so it will intercept the traffic and process the received command.[1]

Groups That Use This Software

ID Name References
G1021 Cinnamon Tempest

[2][3][4][5]
G0027 Threat Group-3390

[1]

References

  1. Lunghi, D. and Lu, K. (2021, April 9). Iron Tiger APT Updates Toolkit With Evolved SysUpdate Malware. Retrieved November 12, 2021.
  2. Microsoft. (2022, May 9). Ransomware as a service: Understanding the cybercrime gig economy and how to protect yourself. Retrieved March 10, 2023.
  3. Counter Threat Unit Research Team . (2022, June 23). BRONZE STARLIGHT RANSOMWARE OPERATIONS USE HUI LOADER. Retrieved December 7, 2023.
  1. Biderman, O. et al. (2022, October 3). REVEALING EMPEROR DRAGONFLY: NIGHT SKY AND CHEERSCRYPT - A SINGLE RANSOMWARE GROUP. Retrieved December 6, 2023.
  2. SecureWorks. (n.d.). BRONZE STARLIGHT. Retrieved December 6, 2023.