Emissary Panda, which also goes by other identikits such as APT27, IronTiger, BronzeUnion, TG-3390, and LuckyMouse , is a decade old Chinese APT. It primarily targets aerospace, government, defense, technology, energy, and manufacturing sectors. Not much is know about the activities of this group. This malware sample is allegedly one of there Trojan that disguised itself as a legitimate odbcad32.exe which is Open Database Connectivity Data Source Administrator utility by Microsoft. But this executable is not signed by Microsoft but by Hangzhou Bianfeng Networking Technology Co., Ltd China.
When executed it elevate privileges and drop two files - odbccx32.dll in the C:Windowssystem32 folder, and a randomly named batch file in the user's local temp folder. Net.exe was then launched with the parameters "stop "Remote Registry Configuration"". Next, rundll32.exe loads the aforementioned "odbccx32.dll", and then another net.exe is launched with the parameters "start "Remote Registry Configuration"". Once the malicious DLL is loaded via rundll32.exe, it then establishes persistence via a new service. Cmd.exe then executes the dropped batch file, which deletes the originally executed file, as well as the batch file itself.
Following this, Svchost.exe is executed and loads the malicious odbccx32.dll. It then drops the file "autochk.sys" in the C:Windowssystem32drivers folder, and reads the hosts file located in the C:Windowssystem32driversetchosts folder (this file contains the mappings of IP addresses to host names). Command & Control is then initiated to "yofeopxuuehixwmj.redhatupdater.com" over ports 53, 80, and 443. While this domain currently resolves to 220.127.116.11, no response was received from probing attempts, and no secondary payload was observed.
Emissary Panda RAT Signatures
Emissary Panda RAT Download