Deep Panda
Deep Panda is a suspected Chinese threat group known to target many industries, including government, defense, financial, and telecommunications.[1] The intrusion into healthcare company Anthem has been attributed toDeep Panda.[2] This group is also known as Shell Crew, WebMasters, KungFu Kittens, and PinkPanther.[3]Deep Panda also appears to be known as Black Vine based on the attribution of both group names to the Anthem intrusion.[4] Some analysts trackDeep Panda andAPT19 as the same group, but it is unclear from open source information if the groups are the same.[5]
Associated Group Descriptions
Techniques Used
| Domain | ID | Name | Use | |
|---|---|---|---|---|
| Enterprise | T1059 | .001 | Command and Scripting Interpreter:PowerShell | Deep Panda has used PowerShell scripts to download and execute programs in memory, without writing to disk.[1] |
| Enterprise | T1546 | .008 | Event Triggered Execution:Accessibility Features | Deep Panda has used the sticky-keys technique to bypass the RDP login screen on remote systems during intrusions.[3] |
| Enterprise | T1564 | .003 | Hide Artifacts:Hidden Window | Deep Panda has used |
| Enterprise | T1027 | .005 | Obfuscated Files or Information:Indicator Removal from Tools | Deep Panda has updated and modified its malware, resulting in different hash values that evade detection.[4] |
| Enterprise | T1057 | Process Discovery | Deep Panda uses the MicrosoftTasklist utility to list processes running on systems.[1] | |
| Enterprise | T1021 | .002 | Remote Services:SMB/Windows Admin Shares | Deep Panda uses net.exe to connect to network shares using |
| Enterprise | T1018 | Remote System Discovery | Deep Panda has used ping to identify other machines of interest.[1] | |
| Enterprise | T1505 | .003 | Server Software Component:Web Shell | Deep Panda uses Web shells on publicly accessible Web servers to access victim networks.[6] |
| Enterprise | T1218 | .010 | System Binary Proxy Execution:Regsvr32 | Deep Panda has used regsvr32.exe to execute a server variant ofDerusbi in victim networks.[3] |
| Enterprise | T1047 | Windows Management Instrumentation | TheDeep Panda group is known to utilize WMI for lateral movement.[1] | |
Software
References
- Alperovitch, D. (2014, July 7). Deep in Thought: Chinese Targeting of National Security Think Tanks. Retrieved November 12, 2014.
- ThreatConnect Research Team. (2015, February 27). The Anthem Hack: All Roads Lead to China. Retrieved January 26, 2016.
- RSA Incident Response. (2014, January). RSA Incident Response Emerging Threat Profile: Shell Crew. Retrieved January 14, 2016.
- DiMaggio, J.. (2015, August 6). The Black Vine cyberespionage group. Retrieved January 26, 2016.
- Scott, J. and Spaniel, D. (2016, July 28). ICIT Brief - China’s Espionage Dynasty: Economic Death by a Thousand Cuts. Retrieved June 7, 2018.
- RYANJ. (2014, February 20). Mo’ Shells Mo’ Problems – Deep Panda Web Shells. Retrieved September 16, 2015.
- Cylance SPEAR Team. (2017, February 9). Shell Crew Variants Continue to Fly Under Big AV’s Radar. Retrieved February 15, 2017.