Skip to content

S0664 Pandora

Pandora is a multistage kernel rootkit with backdoor functionality that has been in use by Threat Group-3390 since at least 2020.1

Item Value
ID S0664
Associated Names
Type MALWARE
Version 1.0
Created 29 November 2021
Last Modified 15 April 2022
Navigation Layer View In ATT&CK® Navigator

Techniques Used

Domain ID Name Use
enterprise T1071 Application Layer Protocol -
enterprise T1071.001 Web Protocols Pandora can communicate over HTTP.1
enterprise T1543 Create or Modify System Process -
enterprise T1543.003 Windows Service Pandora has the ability to gain system privileges through Windows services.1
enterprise T1573 Encrypted Channel -
enterprise T1573.001 Symmetric Cryptography Pandora has the ability to encrypt communications with D3DES.1
enterprise T1068 Exploitation for Privilege Escalation Pandora can use CVE-2017-15303 to bypass Windows Driver Signature Enforcement (DSE) protection and load its driver.1
enterprise T1574 Hijack Execution Flow -
enterprise T1574.002 DLL Side-Loading Pandora can use DLL side-loading to execute malicious payloads.1
enterprise T1105 Ingress Tool Transfer Pandora can load additional drivers and files onto a victim machine.1
enterprise T1112 Modify Registry Pandora can write an encrypted token to the Registry to enable processing of remote commands.1
enterprise T1027 Obfuscated Files or Information Pandora has the ability to compress stings with QuickLZ.1
enterprise T1057 Process Discovery Pandora can monitor processes on a compromised host.1
enterprise T1055 Process Injection Pandora can start and inject code into a new svchost process.1
enterprise T1553 Subvert Trust Controls -
enterprise T1553.006 Code Signing Policy Modification Pandora can use CVE-2017-15303 to disable Windows Driver Signature Enforcement (DSE) protection and load its driver.1
enterprise T1569 System Services -
enterprise T1569.002 Service Execution Pandora has the ability to install itself as a Windows service.1
enterprise T1205 Traffic Signaling Pandora can identify if incoming HTTP traffic contains a token and if so it will intercept the traffic and process the received command.1

Groups That Use This Software

ID Name References
G0027 Threat Group-3390 1

References

Back to top