Infrastructure linking PandorahVNC and Mesh Central

Sept. 27, 2024, 1:41 p.m.

Description

This analysis investigates PandorahVNC, a sophisticated Hidden Virtual Network Computing tool, and its connections to a new service called AnonVNC. The report explores the online presence of the tool's creator, known as 'All_father', and examines the infrastructure used for both PandorahVNC and AnonVNC. It reveals links between these services and MeshCentral, a legitimate remote session manager. The investigation uncovers potential new developments in the creator's toolkit, including the use of MeshCentral's Mesh Agent. The report also discusses various threat actors who have leveraged PandorahVNC for malicious purposes, ranging from state-sponsored groups to cybercriminals.

External References

https://www.intrinsec.com/wp-content/uploads/2024/09/TLP-CLEAR-20240926-PandorahVNC-and-MeshCentral-EN-3.pdf
https://otx.alienvault.com/pulse/66f6b1811f381a089c8dc8c5
Tags
2024-09-27
meshcentral
pandorahvnc

Date

  • Created: Sept. 27, 2024, 1:22 p.m.
  • Published: Sept. 27, 2024, 1:22 p.m.
  • Modified: Sept. 27, 2024, 1:41 p.m.

Indicators

  • 94.131.121.91
  • 51.254.27.112
  • 141.95.6.166
  • 62.112.11.136
  • 66.94.109.162
  • validatax.com
  • vncapk.io
  • pandorahvnc.shop
  • hvncs.com
  • hiddenvnc.com
  • anonvnc.com
Download all indicators here!

Attack Patterns

  • GraphSteel
  • GrimPlant
  • AveMariaRAT
  • PandorahVNC
  • BitRAT
  • All_father
  • T1021.001
  • T1556
  • T1136
  • T1059.001
  • T1571
  • T1555
  • T1021
  • T1559
  • T1547
  • T1105
  • T1134
  • T1078
  • T1059

Additional Informations

  • Finance
  • Government
  • Ukraine