Pacha Group

Pacha Group
(Type: -)

(Intezer) Antd is a miner found in the wild on September 18, 2018. Recently we discovered that the authors from Antd are actively delivering newer campaigns deploying a broad number of components, most of them completely undetected and operating within compromised third party Linux servers. Furthermore, we have observed that some of the techniques implemented by this group are unconventional, and there is an element of sophistication to them. We believe the authors behind this malware are from Chinese origin. We have labeled the undetected Linux.Antd variants, Linux.GreedyAntd and classified the threat actor as Pacha Group.

[News Analysis] Trends:

Total Trend: 2

Trend Per Year
2
2019


Trend Per Month
1
Feb 2019
1
May 2019



[News Analysis] News Mention Another Threat Name:

2 - GreedyAntd2 - Pacha Group2 - Rocke


[TTP Analysis] Technique Performance:



[TTP Analysis] Mitre Attack Matrix:

TA0043 TA0042 TA0001 TA0002 TA0003 TA0004 TA0005 TA0006 TA0007 TA0008 TA0009 TA0011 TA0010 TA0040
Reconnaissance Resource Development Initial Access Execution Persistence Privilege Escalation Defense Evasion Credential Access Discovery Lateral Movement Collection Command and Control Exfiltration Impact


[Infrastructure Analysis] Based on Related IOC:

IP:Port Timestamp
Domain Timestamp
URL Timestamp


[Target Analysis] Region/Sector:

No information


References:

Basic Information (Credit @etda.or.th)

Actor: Pacha Group

Names: Pacha Group

Country: China

Motivation: Financial gain

First-seen: 2018

Description: (Intezer) Antd is a miner found in the wild on September 18, 2018. Recently we discovered that the authors from Antd are actively delivering newer campaigns deploying a broad number of components, most of them completely undetected and operating within compromised third party Linux servers. Furthermore, we have observed that some of the techniques implemented by this group are unconventional, and there is an element of sophistication to them. We believe the authors behind this malware are from Chinese origin. We have labeled the undetected Linux.Antd variants, Linux.GreedyAntd and classified the threat actor as Pacha Group.

Tools: Antd

Tools: DDG

Tools: Korkerds

Tools: XMRig

Operations: 2018-09

Operations: Intezer has evidence dating back to September 2018 which shows Pacha Group has been using a cryptomining malware that has gone undetected on other engines. https://www.intezer.com/blog-pacha-group-deploying-undetected-cryptojacking-campaigns/

Operations: 2019-05

Operations: Pacha Group Competing against {{Rocke, Iron Group}} Group for Cryptocurrency Mining Foothold on the Cloud https://www.intezer.com/blog-technical-analysis-cryptocurrency-mining-war-on-the-cloud/

Information: https://www.intezer.com/blog-technical-analysis-pacha-group/

Last-card-change: 2020-04-15

Source: https://apt.etda.or.th/cgi-bin/listtools.cgi

TA0043 TA0042 TA0001 TA0002 TA0003 TA0004 TA0005 TA0006 TA0007 TA0008 TA0009 TA0011 TA0010 TA0040
Reconnaissance Resource Development Initial Access Execution Persistence Privilege Escalation Defense Evasion Credential Access Discovery Lateral Movement Collection Command and Control Exfiltration Impact