Key findings
- The online presence of “all_father”, the user advertising PandorahVNC.
- The capabilities of PandorahVNC and other known threat actors that were observed using it.
- An infrastructure related to PandorahVNC which is advertised as “anonvnc” and is linked with the remote tool Mesh Central.
Introduction
Hidden Virtual Network Computing (HVNC) is a sophisticated form of remote access designed for stealthy control over an infected system. Unlike traditional VNC tools, HVNC operates covertly, ensuring that the infected user’s desktop environment remains unchanged and unsuspecting while the attacker manipulates a hidden desktop session.
HVNC malware is often employed in targeted attacks and is favoured for its ability to bypass traditional security measures. It enables attackers to remotely control the compromised machine, perform financial transactions, or access sensitive information without being detected by the victim. The use of HVNC has been associated with various cybercrime campaigns, particularly those targeting financial institutions and enterprises.
For this analysis, we will delve into the capabilities of PandorahVNC, exploring its infection vectors, infrastructure, and the implications of its deployment in the current threat landscape. We will also focus on an infrastructure linked with PandorahVNC that is currently being built to advertise a tool named “anonvnc”, related to MeshCentral remote session manager. By understanding the mechanisms and impact of these malware, cybersecurity professionals can better prepare defences and mitigate the risks associated with them.
On 10 March 2022, Florian Roth (@cyb3rops on X) made a tweet about PandorahVNC, exposing the content of one of its websites and asking his audience if this is “malware or legitimate software that has the same features and functions as malware?”. An OSINT investigation on PandorahVNC’s operator was made by SlashNext on 13 December 2023, but since we did not identify a complete analysis of this operator and its tool, we decided to start an investigation on this subject.
Intrinsec’s CTI services
Organisations are facing a rise in the sophistication of threat actors and intrusion sets. To address these evolving threats, it is now necessary to take a proactive approach in the detection and analysis of any element deemed malicious. Such a hands-on approach allows companies to anticipate, or at least react as quickly as possible to the compromises they face.
For this report, shared with our clients in July 2023, Intrinsec relied on its Cyber Threat Intelligence service, which provides its customers with high value-added, contextualized and actionable intelligence to understand and contain cyber threats. Our CTI team consolidates data & information gathered from our security monitoring services (SOC, MDR …), our incident response team (CERT-Intrinsec) and custom cyber intelligence generated by our analysts using custom heuristics, honeypots, hunting, reverse-engineering & pivots.
Intrinsec also offers various services around Cyber Threat Intelligence:
- Risk anticipation: which can be leveraged to continuously adapt the detection & response capabilities of our clients’ existing tools (EDR, XDR, SIEM, …) through:
-
- an operational feed of IOCs based on our exclusive activities.
- threat intel notes & reports, TIP-compliant.
-
- Digital risk monitoring:
-
- data leak detection & remediation
- external asset security monitoring (EASM)
- brand protection
-
For more information, go to www.intrinsec.com/en/cyber-threat-intelligence/.
