Keypoints :
- ToxicPanda targets Android devices and initiates money transfers through account takeovers.
- The malware uses on-device fraud (ODF) to bypass user identity verification and authentication measures.
- Cleafy identified 26 IoCs related to ToxicPanda, including 21 domain names.
- Additional research uncovered six email-connected domains, seven IP addresses (four malicious), and 817 string-connected domains.
- The majority of the identified domains were registered in 2024, with some dating back to 2015.
MITRE Techniques :
- T1071.001 – Application Layer Protocol: ToxicPanda utilizes application layer protocols to communicate with its command and control servers.
- T1078 – Valid Accounts: The malware exploits valid accounts through account takeovers to facilitate unauthorized transactions.
- T1203 – Exploitation for Client Execution: ToxicPanda may exploit vulnerabilities in applications to gain access to user devices.
Indicator of Compromise :
- [domain] cpt[.]lol
- [domain] dksu[.]top
- [domain] freebasic[.]cn
- [domain] mixcom[.]one
- [ip address] 172[.]67[.]176[.]238
- Check the article for all found IoCs.
Banking Trojans have been around for decades and still persist to this day because they effectively siphon off victims’ financial data and savings. And one of the latest additions to the ever-growing malware type—ToxicPanda—has been plaguing bank customers throughout Asia and Latin America since October 2024.
ToxicPanda primarily affects Android devices. Its main goal is to initiate money transfers from compromised devices via account takeovers (ATOs) using a technique called “on-device fraud (ODF).” It bypasses bank countermeasures to enforce user identity verification and authentication as well as behavioral detection techniques to identify suspicious money transfers.
Cleafy analyzed the malware in great depth and identified 26 indicators of compromise (IoCs), including 21 domain names in their report. The WhoisXML API research team expanded the list of 21 domain IoCs through a DNS deep dive and uncovered more connected artifacts, including:
- Six email-connected domains
- Seven IP addresses, four of which turned out to be malicious
- One IP-connected domain, which turned out to be malicious
- 817 string-connected domains
A sample of the additional artifacts obtained from our analysis is available for download from our website.
ToxicPanda IoC Facts
As per usual, we began our study by looking for more information about the IoCs.
We queried the 21 domains tagged as IoCs on Bulk WHOIS Lookup, which revealed that only 18 of them had current WHOIS records. The lookup results showed that:
- They were administered by only two registrars. A majority, 16 to be exact, fell under the purview of NameSilo. One was administered by Dynadot, while another did not have registrar data.
- A total of 17 domain IoCs were created in 2024, while one was created way back in 2015.
- While 44% of them were registered in the U.S., the majority, 56% to be exact, did not have registrant country data.
We also queried the 21 domains tagged as IoCs on DNS Chronicle API and found that they resolved to 122 IP addresses between 8 July 2020 and 27 November 2024. Take a look at five examples below.
| DOMAIN IoC | START DATE | END DATE | NUMBER OF IP RESOLUTIONS |
|---|---|---|---|
| cpt[.]lol | 7 July 2023 | 7 August 2024 | 4 |
| dksu[.]top | 16 August 2024 | 12 September 2024 | 14 |
| freebasic[.]cn | 16 August 2020 | 27 November 2024 | 71 |
| mixcom[.]one | 21 September 2024 | 10 November 2024 | 8 |
| unk[.]lol | 14 April 2023 | 27 April 2024 | 3 |
ToxicPanda IoC Expansion Analysis Findings
We kicked off our expansion analysis by querying the 21 domains tagged as IoCs on WHOIS History API, which gave us seven email addresses from their historical WHOIS records. Further scrutiny of the email addresses showed that five of them were public.
Querying the five public email addresses on Reverse WHOIS API provided us with six email-connected domains after duplicates and the IoCs were filtered out.
Next up, we queried the 21 domains tagged as IoCs on DNS Lookup API and found that they resolved to seven unique IP addresses.
Threat Intelligence API revealed that four of the seven IP addresses were malicious. The IP address 172[.]67[.]176[.]238, for instance, was associated with phishing, malware distribution, attacks, and generic threats. The IP address 104[.]21[.]6[.]160, meanwhile, has figured in malware distribution, phishing, and generic threats.
This post only contains a snapshot of the full research. Download the complete findings and a sample of the additional artifacts on our website or contact us to discuss your intelligence needs for threat detection and response or other cybersecurity use cases.
Disclaimer: We take a cautionary stance toward threat detection and aim to provide relevant information to help protect against potential dangers. Consequently, it is possible that some entities identified as “threats” or “malicious” may eventually be deemed harmless upon further investigation or changes in context. We strongly recommend conducting supplementary investigations to corroborate the information provided herein.
Full Research: https://circleid.com/posts/unraveling-the-dns-connections-of-toxicpanda