Emissary Panda DLL Backdoor

Last month’s post on this blog examined a backdoor previously thought to be associated with Emissary Panda (APT27). Recent reporting has instead shown that the HTTP listener examined is likely affiliated with Turla. That post has been updated with the corresponding corrections.

This post is a granular examination of a payload alluded to in a Palo Alto report that is tied to Emissary Panda with much higher confidence. While the payload wasn’t available for analysis in that report, VirusTotal pivoting at the time produced the matching file.

Filename: PYTHON33.hlp
MD5: 19c46d01685c463f21ef200e81cb1cf1
SHA1: ac4a264a76ba22e21876f7233cbdbe3e89b6fe9d
SHA256: 3e21e7ea119a7d461c3e47f50164451f73d5237f24208432f50e025e1760d428

This file is expected to be part of a DLL side-loading chain that involves a component of the legitimate Sublime text editor (plugin_host.exe, also available on VirusTotal: f0b05f101da059a6666ad579a035d7b6) and a malicious DLL that this file will sideload:

Filename: PYTHON33.dll
MD5: bc1305a6ca71d8bdb3961bfd4e2b3565
SHA1: f189d63bae50fc7c6194395b2389f9c2a453312e
SHA256: 2dde8881cd9b43633d69dfa60f23713d7375913845ac3fe9b4d8a618660c4528

Read more “Emissary Panda DLL Backdoor”