Pandora
Pandora is ransomware reported in 2022, including activity targeting the automotive sector and deployment by the Microsoft-tracked actor DEV-0401.
Profile source: Ransomware.live opens in a new tabPandora
Family profile
Pandora is ransomware reported in 2022, including activity targeting the automotive sector and deployment by the Microsoft-tracked actor DEV-0401. This profile excludes the unrelated Windows backdoor and rootkit that also uses the Pandora name.
Ransomware.live
Operational record
Reporting
Research mentioning Pandora
Memory Analysis with Velociraptor - Part 2
20 Pandora yes
Chinese Entanglement | DLL Hijacking in the Asian Gambling Sector | SentinelOne
Since around 2021, HUI Loader variants have been deployed in operations involving the ransomware families LockFile, AtomSilo, NightSky, LockBit 2.0, and Pandora.
Process Injection, Technique T1055 - Enterprise | MITRE ATT&CK®
Pandora can start and inject code into a new svchost process.
CatB Ransomware: File Locker Steals Data via MSDTC DLL Hijacking
String similarities in the ransom notes as well as modifications left by the ransomware payloads suggest that CatB may be either an evolution or direct rebrand of the Pandora ransomware, which was active in early to mid-2022 and targeted the automotive industry.
Ransomware as a service: Understanding the cybercrime gig economy and how to protect yourself | Microsoft Security Blog
In February of 2022, DEV-0401 was observed deploying the Pandora ransomware family, primarily via unpatched VMware Horizon systems vulnerable to the Log4j 2 CVE-2021-44228 vulnerability.
Iron Tiger APT Updates Toolkit With Evolved SysUpdate Malware
On two occasions (in March and October 2020), we found a kernel rootkit that had been deployed. After analysis, it appears that this rootkit’s behavior is very similar to that of the NDISProxy driver and remote access trojan (RAT). We chose to call it “Pandora” based on the program database (PDB) path of the unpacked stage 2.
Create or Modify System Process: Windows Service, Sub-technique T1543.003 - Enterprise | MITRE ATT&CK®
Pandora has the ability to gain system privileges through Windows services.
Process Injection, Technique T1055 - Enterprise | MITRE ATT&CK®
Pandora can start and inject code into a new svchost process.