Deep Panda is a suspected Chinese threat group known to target many industries, including government, defense, financial, and telecommunications.[1] The intrusion into healthcare company Anthem has been attributed toDeep Panda.[2] This group is also known as Shell Crew, WebMasters, KungFu Kittens, and PinkPanther.[3]Deep Panda also appears to be known as Black Vine based on the attribution of both group names to the Anthem intrusion.[4] Some analysts trackDeep Panda andAPT19 as the same group, but it is unclear from open source information if the groups are the same.[5]
| Domain | ID | Name | Use | |
|---|---|---|---|---|
| Enterprise | T1059 | .001 | Command and Scripting Interpreter:PowerShell | Deep Panda has used PowerShell scripts to download and execute programs in memory, without writing to disk.[1] |
| Enterprise | T1546 | .008 | Event Triggered Execution:Accessibility Features | Deep Panda has used the sticky-keys technique to bypass the RDP login screen on remote systems during intrusions.[3] |
| Enterprise | T1564 | .003 | Hide Artifacts:Hidden Window | Deep Panda has used |
| Enterprise | T1027 | .005 | Obfuscated Files or Information:Indicator Removal from Tools | Deep Panda has updated and modified its malware, resulting in different hash values that evade detection.[4] |
| Enterprise | T1057 | Process Discovery | Deep Panda uses the MicrosoftTasklist utility to list processes running on systems.[1] | |
| Enterprise | T1021 | .002 | Remote Services:SMB/Windows Admin Shares | Deep Panda uses net.exe to connect to network shares using |
| Enterprise | T1018 | Remote System Discovery | Deep Panda has used ping to identify other machines of interest.[1] | |
| Enterprise | T1505 | .003 | Server Software Component:Web Shell | Deep Panda uses Web shells on publicly accessible Web servers to access victim networks.[6] |
| Enterprise | T1218 | .010 | System Binary Proxy Execution:Regsvr32 | Deep Panda has used regsvr32.exe to execute a server variant ofDerusbi in victim networks.[3] |
| Enterprise | T1047 | Windows Management Instrumentation | TheDeep Panda group is known to utilize WMI for lateral movement.[1] | |