(Intezer) Antd is a miner found in the wild on September 18, 2018. Recently we discovered that the authors from Antd are actively delivering newer campaigns deploying a broad number of components, most of them completely undetected and operating within compromised third party Linux servers. Furthermore, we have observed that some of the techniques implemented by this group are unconventional, and there is an element of sophistication to them. We believe the authors behind this malware are from Chinese origin. We have labeled the undetected Linux.Antd variants, Linux.GreedyAntd and classified the threat actor as Pacha Group.
TA0043 | TA0042 | TA0001 | TA0002 | TA0003 | TA0004 | TA0005 | TA0006 | TA0007 | TA0008 | TA0009 | TA0011 | TA0010 | TA0040 |
---|---|---|---|---|---|---|---|---|---|---|---|---|---|
Reconnaissance | Resource Development | Initial Access | Execution | Persistence | Privilege Escalation | Defense Evasion | Credential Access | Discovery | Lateral Movement | Collection | Command and Control | Exfiltration | Impact |
IP:Port | Timestamp |
---|
Domain | Timestamp |
---|
URL | Timestamp |
---|
2019-05-09 by Ignacio Sanmillan from Intezer
2019-02-28 by Ignacio Sanmillan from Intezer
Actor: Pacha Group
Names: Pacha Group
Country: China
Motivation: Financial gain
First-seen: 2018
Description: (Intezer) Antd is a miner found in the wild on September 18, 2018. Recently we discovered that the authors from Antd are actively delivering newer campaigns deploying a broad number of components, most of them completely undetected and operating within compromised third party Linux servers. Furthermore, we have observed that some of the techniques implemented by this group are unconventional, and there is an element of sophistication to them. We believe the authors behind this malware are from Chinese origin. We have labeled the undetected Linux.Antd variants, Linux.GreedyAntd and classified the threat actor as Pacha Group.
Tools: Antd
Tools: DDG
Tools: Korkerds
Tools: XMRig
Operations: 2018-09
Operations: Intezer has evidence dating back to September 2018 which shows Pacha Group has been using a cryptomining malware that has gone undetected on other engines. https://www.intezer.com/blog-pacha-group-deploying-undetected-cryptojacking-campaigns/
Operations: 2019-05
Operations: Pacha Group Competing against {{Rocke, Iron Group}} Group for Cryptocurrency Mining Foothold on the Cloud https://www.intezer.com/blog-technical-analysis-cryptocurrency-mining-war-on-the-cloud/
Information: https://www.intezer.com/blog-technical-analysis-pacha-group/
Last-card-change: 2020-04-15
Source: https://apt.etda.or.th/cgi-bin/listtools.cgi
TA0043 | TA0042 | TA0001 | TA0002 | TA0003 | TA0004 | TA0005 | TA0006 | TA0007 | TA0008 | TA0009 | TA0011 | TA0010 | TA0040 |
---|---|---|---|---|---|---|---|---|---|---|---|---|---|
Reconnaissance | Resource Development | Initial Access | Execution | Persistence | Privilege Escalation | Defense Evasion | Credential Access | Discovery | Lateral Movement | Collection | Command and Control | Exfiltration | Impact |