Guest Post: Using BinaryEdge to hunt for Panda Banker C2 servers and Android Malware

Panda Banker is a trojan that is used for financially motivated targeted attacks on victims across the globe. This malware has been active since 2016, spreading through an initial phishing email and a malicious attachment accompanying it. Panda was first discovered by Fox-IT as targeting the Netherlands with a malicious doc file attachment exploiting various vulnerabilities ( CVE-2014-1761, CVE-2012-0158) with embedded macros to deliver Panda via multistage droppers.

Since that time frame, Panda has been seen as utilizing different infection chains such as being pushed through Emotet and Hancitor Malspam, expanding from financial services to additional targets such as cryptocurrency exchanges, social media, and hitting more target countries as its activity grew along the years. Panda has also been seen targeting the US, Canada, Latin America, and most recently targets in Asia such as Japan.

Panda has been extensively documented as using various C2 communication methods, embedded addresses, URI generation algorithms, and dynamic configurations.
The latest set of activity involving Panda’s C2 hosts has it tied to Android based malware with a ‘throwback’ to Panda’s original financially themed goals.

Hunting with BinaryEdge

We’ll be using BinaryEdge’s platform to try and hunt for Panda C2 addresses to see if it’s possible to uncover any sort of activity connected to the results on the platform. What we’ll be trying to achieve is uncovering any related malware, metadata, additional addresses, or tools and techniques that can be extracted in connection to the initial search results.

BinaryEdge scan data can be queried for threat intelligence usage and used for hunting for C2 activity such as Panda and serve as an initial pivot in an investigation, since there’s constant scans of the worldwide internet IP space and extraction of web information conducted by such platform.

On the enterprise side of the BinaryEdge platform, you’re allowed to launch fully customized scans using “modules” these are scans that use the BinaryEdge infrastructure and are launched in realtime with the configurations you define.

The BinaryEdge HTTP(s) module allows to create fully custom HTTP requests, it will follow redirects and retrieve HTTP content, headers and screenshot the website running on the target.

One little fact that people don't know is that you can also use the BinaryEdge platform ondemand scans to target hostnames, not just IP addresses, and the modules are fully compatible.

In the case of Panda and its control communications, BinaryEdge’s search engine was queried for a known text based signature embedded in the control panel of Panda C2 hosts, similar to another version found:

Using the ‘http.body’ query to search through all the scanned data available for any hits on the body of web pages, a peculiar copyright signature that is used by the Panda panel retrieved interesting results which we are now able to see and go over.

ak-1

111 results were found to be exact, results that all contain that unique string embedded in their webpage. By loading these IP addresses on a custom “on demand” job, we can use the HTTP module to screengrab all the HTTP services running on these URLs.
A quick look at the screen grabs of the result shows us what it looks like in a browser:

ak-2

What we actually are seeing is a Panda C2 login panel which is live.

Going over the BinaryEdge results from our query and its accompanying scan data, shows us that not only these servers host web services, but a lot of the results have port 3389 and Remote Desktop Protocol enabled. The RDP module automatically takes a screenshot on its own of the RDP service if it encounters it during a scan:

ak-3

ak-4

So we can see for ourselves what is being run on RDP by these machines in addition to the web host panel.

Now with the current data we’ve accumulated, these IP addresses can be taken even further and pivoted through malware analysis search engines such as VirusTotal - so an investigation to see what is being referred through these addresses and control panels can be commenced.

Since we still don’t actually know what if any malware activity at all is being conducted through these addresses, at this stage we only see a C2 panel. So a look up for any communicating files from the IP addresses retrieved is the next natural step in such an investigation.

Analysis

And in this case, once addresses are pivoted to VirusTotal, files such as the one shown below are be found connected to them.
ak-5

The communicating files which VirusTotal shows as connected to the IP addresses we found originally in our list through BinaryEdge look to be Android APK file types. Making this type of malware quickly stand out as different than the original Panda Banker, as it seems to be hitting a different platform compared to the original Panda campaign which targeted Windows operating systems.

Some of the other samples have IP addresses from the list hardcoded into the malware itself, some are found as communicating with them and new IP addresses which we haven’t seen before.
But once we look at the malware itself, we can now see how it behaves and take even further notes - this specific malicious APK calls one of the C2 hosts we previously found for commands and data extraction as can be seen from the behavior analysis of this sample:

Behaviour:
Access network
Detail info:
host:/.117.137. port:80
Behaviour:
Access network state
Detail info:
NetworkInfo: type: WIFI[], state: CONNECTED/CONNECTED, reason: (unspecified), extra: freewifi, roaming: false, failover: false, isAvailable: true, isConnectedToProvisioningNetwork: false
Behaviour:
Send network data
Detail info:
operation:send host:/.117.137. port:80 data:data:POST /mobile/method1/Y HTTP/1.1 Content-Type: application/json Content-Length: 448 Host: 103.117.137.115 Connection: Keep-Alive Accept-Encoding: gzip
operation:send host:/.117.137. port:80 data:data:61c85e7d87f1fba905eacca1aa12aef4b4a9f4da9f98f8c80bcf3c9051c950747c42c1ac95d605b583395c1c570bf7f821e9656c67885a73474d5daaa8faad199a7bbef1cd53dd664530006f17eaff637b6b376a2f226fe048685b1be17c1d19a74d233e5628780bfee511824c4737bf32387f069727c5e7f620cd15db6a0b1ec40b81e5d315f6c28e2faf0638b4f0d764561c5d2e3a2c7a82dea2173facbda3b159792129d0fa4da3cd6e834ab0b4a9efe6621f926ded7ca0b87dd4c1add74183f279efb6a61a968ed2cacfc2128eb1a1e5beeeb82e1dad827d22a7cd55f2b4
operation:send host:/.117.137. port:80 data:data:POST /mobile/method5/17994aca02d7dc3c024669e025782214?type=toOnCall HTTP/1.1 Content-Type: application/json Content-Length: 160 Host: 103.117.137.115 Connection: Keep-Alive Accept-Encoding: gzip a9472d71402ddafbb1c618949f8fb4227ce0572653437d399dc928e739d018e93ac790501e9b7448f7c7183404c27d7396e1e94411c96c923a9a96e833a0dd28cea5097fd515d30abee7707763362531
operation:send host:/.117.137. port:80 data:data:POST /mobile/method5/17994aca02d7dc3c024669e025782214?type=toOnCall HTTP/1.1 Content-Type: application/json Content-Length: 128 Host: 103.117.137.115 Connection: Keep-Alive Accept-Encoding: gzip 08bb05fcdd5c9eb4aabccd54f9f289666959c0d924fb3dd72156dd464d227bca99ca934c407738b57ad4ec4464b575259818a252092e64c075fec46a2be4949f
Behaviour:
Initialize URL
Detail info:
u'file', u'', u'-1', u'/data/app/org.phone.pub.ok-1.apk', u'null'
u'jar:file:/data/app/org.phone.pub.ok-1.apk!/META-INF/services/com.alibaba.fastjson.serializer.AutowiredObjectSerializer'
Behaviour:
Initialize URI
Detail info:
http://.117.137./mobile/method1/Y
http://.117.137.
http://.117.137./mobile/method5/17994aca02d7dc3c024669e025782214?type=toOnCall
/mobile/method1/Y
/mobile/method5/17994aca02d7dc3c024669e025782214?type=toOnCall
http://.117.137./mobile/method8/17994aca02d7dc3c024669e025782214
Behaviour:
Read URL data
Detail info:
N/A
Behaviour:
Monitor network data
Detail info:
u'org.red.cute.receiver.CallReceiver$MyPhoneStateListener@21979e60', u'32'
Behaviour:
Receive network data

Detail info:
host:/.117.137. port:80 data:data:HTTP/1.1 403 Forbidden Date: Tue, 5 Apr 2016 06:48:08 GMT Connection: close Cont

ak-6
Source: Virustotal

This malicious Android application steals data, extracts key information such as location data, phone contacts, the device’s phone number, and contacts the C2 for further and future commands from the attacker.

These malware samples look to be on the surface as unrelated and disconnected from the original Panda variant, but seem to be piggybacking on Panda Banker’s infrastructure and utilize its C2 capabilities. However, it can now be tracked and further analyzed for more malware samples and listed for blocklists, on top of campaign tracking. This specific variant seems to be targeting Korean targets.

BinaryEdge and other similar solutions are great tools to have in your arsenal for threat hunting and the tracking of malicious activity, especially in such a capacity where it serves as a pivot point for further investigation, as these provide excellent resources for data collection and making connections to take further in other means in your investigation or threat hunt.

This is a guest blogpost written by Andrei Kornev from www.deependresearch.org a non-profit team that does malware research.