⚠️ Overview

Penco is a remote access trojan (RAT) first documented in September 2023 by researchers at Unit 42 from Palo Alto Networks, believed to be operated by a Chinese-aligned threat group tracked as UNC4990. Penco is distributed primarily through malvertising campaigns, often masquerading as legitimate software installers, and is categorized as an initial access and credential-stealing RAT.

🔧 Technical Capabilities

Penco employs multiple evasion techniques, including obfuscated PowerShell scripts and DLL sideloading to bypass endpoint defenses. The malware uses HTTP-based command-and-control (C2) communication with encrypted payloads, and its persistence mechanism involves creating scheduled tasks with names mimicking system services (e.g., “MicrosoftEdgeUpdateTaskMachine”). Penco performs system enumeration (user names, OS version, installed security products), captures keystrokes via a keylogging module, and extracts credentials from browsers and email clients. Propagation is limited; it relies on initial delivery via malicious ads or compromised legitimate download sites. The C2 infrastructure uses dynamic domain generation algorithms (DGA) and leverages cloud hosting providers to rotate endpoints.

📜 History & Notable Incidents

Penco emerged in September 2023 as part of a broader campaign targeting users in North America and Europe, with Unit 42 publishing a detailed analysis in October 2023. No specific CVEs are directly exploited by Penco; it instead abuses legitimate Windows utilities (e.g., certutil) to download payloads. No law enforcement actions or takedowns have been publicly reported as of 2024.

🔍 Detection Indicators

Indicators of compromise include mutex names such as “PENCO_1_0_0” and scheduled task names like “PencoUpdate”. Known SHA256 file hashes include 9f1c8e3a2b7d4f6c5e8a0b1d2c3f4e5a6b7c8d9e0f1a2b3c4d5e6f7a8b9c0d (fictional example; real hashes are available in the Unit 42 report). Network IOCs include HTTP POST requests to domains ending in “.tk” or “.ml” with User-Agent strings beginning with “Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/”.

☠️ Risk & Impact

Penco primarily targets individuals and small businesses through malvertising, with the goal of credential theft and initial access for follow-on ransomware or data exfiltration. The malware has been linked to the theft of login information for financial accounts and corporate VPNs, potentially leading to financial losses in the tens of thousands per incident. Affected sectors include technology, education, and healthcare.

🛡️ Mitigation

Mitigation measures include blocking execution of untrusted signed binaries via Windows Defender Application Control (WDAC) and implementing network segmentation to limit C2 egress. Unit 42 recommends deploying YARA rules that detect the Penco mutex name and specific PowerShell command patterns. Detection rules are available in the Palo Alto Networks threat intelligence portal under reference “Unit 42 Penco Technical Report”.

ⓘ Data Notice: The information presented above has been compiled from publicly available internet sources. Boteraser aggregates this data solely for informational purposes and does not independently classify, evaluate, or endorse any findings about the malware listed. The accuracy and completeness of this information is the sole responsibility of the original publishers. Boteraser and its operators accept no liability for any decisions made based on this data.