Home
Groups
Aquatic Panda

Aquatic Panda

Aquatic Panda is a suspected China-based threat group with a dual mission of intelligence collection and industrial espionage. Active since at least May 2020,Aquatic Panda has primarily targeted entities in the telecommunications, technology, and government sectors.^[1]

ID: G0143

Contributors: NST Assure Research Team, NetSentries Technologies; Pooja Natarajan, NEC Corporation India; Hiroki Nagahama, NEC Corporation; Manikantan Srinivasan, NEC Corporation India; Jai Minton, CrowdStrike; Jennifer Kim Roman, CrowdStrike

Version: 2.0

Created: 18 January 2022

Last Modified: 10 October 2024

Version Permalink

Live Version

Enterprise Layer

download view

Techniques Used

Domain	ID		Name	Use
Enterprise	T1087		Account Discovery	Aquatic Panda used the`last` command in Linux environments to identify recently logged-in users on victim machines.^[2]
Enterprise	T1595	.002	Active Scanning:Vulnerability Scanning	Aquatic Panda has used publicly accessible DNS logging services to identify servers vulnerable to Log4j (CVE 2021-44228).^[1]
Enterprise	T1560	.001	Archive Collected Data:Archive via Utility	Aquatic Panda has used several publicly available tools, including WinRAR and 7zip, to compress collected files and memory dumps prior to exfiltration.^[1]^[2]
Enterprise	T1059	.001	Command and Scripting Interpreter:PowerShell	Aquatic Panda has downloaded additional scripts and executed Base64 encoded commands in PowerShell.^[1]
		.003	Command and Scripting Interpreter:Windows Command Shell	Aquatic Panda has attempted and failed to run Bash commands on a Windows host by passing them to`cmd /C`.^[1]
		.004	Command and Scripting Interpreter:Unix Shell	Aquatic Panda used malicious shell scripts in Linux environments following access via SSH to install Linux versions of Winnti malware.^[2]
Enterprise	T1543	.003	Create or Modify System Process:Windows Service	Aquatic Panda created new Windows services for persistence that masqueraded as legitimate Windows services via name change.^[2]
Enterprise	T1005		Data from Local System	Aquatic Panda captured local Windows security event log data from victim machines using the`wevtutil` utility to extract contents to an`evtx` output file.^[2]
Enterprise	T1574	.001	Hijack Execution Flow:DLL	Aquatic Panda has used DLL search-order hijacking to load`exe`,`dll`, and`dat` files into memory.^[1]Aquatic Panda loaded a malicious DLL into the legitimate Windows Security Health Service executable (`SecurityHealthService.exe`) to execute malicious code on victim systems.^[2]
		.006	Hijack Execution Flow:Dynamic Linker Hijacking	Aquatic Panda modified the`ld.so` preload file in Linux environments to enable persistence for Winnti malware.^[2]
Enterprise	T1562	.001	Impair Defenses:Disable or Modify Tools	Aquatic Panda has attempted to stop endpoint detection and response (EDR) tools on compromised systems.^[1]
Enterprise	T1070	.001	Indicator Removal:Clear Windows Event Logs	Aquatic Panda clears Windows Event Logs following activity to evade defenses.^[2]
		.003	Indicator Removal:Clear Command History	Aquatic Panda cleared command history in Linux environments to remove traces of activity after operations.^[2]
		.004	Indicator Removal:File Deletion	Aquatic Panda has deleted malicious executables from compromised machines.^[1]^[2]
Enterprise	T1105		Ingress Tool Transfer	Aquatic Panda has downloaded additional malware onto compromised hosts.^[1]
Enterprise	T1654		Log Enumeration	Aquatic Panda enumerated logs related to authentication in Linux environments prior to deleting selective entries for defense evasion purposes.^[2]
Enterprise	T1036	.004	Masquerading:Masquerade Task or Service	Aquatic Panda created new, malicious services using names such as`Windows User Service` to attempt to blend in with legitimate items on victim systems.^[2]
		.005	Masquerading:Match Legitimate Resource Name or Location	Aquatic Panda renamed or moved malicious binaries to legitimate locations to evade defenses and blend into victim environments.^[2]
Enterprise	T1112		Modify Registry	Aquatic Panda modified the victim registry to enable the`RestrictedAdmin` mode feature, allowing for pass the hash behaviors to function via RDP.^[2]
Enterprise	T1027	.010	Obfuscated Files or Information:Command Obfuscation	Aquatic Panda has encoded PowerShell commands in Base64.^[1]
Enterprise	T1588	.001	Obtain Capabilities:Malware	Aquatic Panda has acquired and usednjRAT in its operations.^[1]
		.002	Obtain Capabilities:Tool	Aquatic Panda has acquired and usedCobalt Strike in its operations.^[1]
Enterprise	T1003	.001	OS Credential Dumping:LSASS Memory	Aquatic Panda has attempted to harvest credentials through LSASS memory dumping.^[1]
Enterprise	T1021		Remote Services	Aquatic Panda used remote scheduled tasks to install malicious software on victim systems during lateral movement actions.^[2]
		.001	Remote Desktop Protocol	Aquatic Panda leveraged stolen credentials to move laterally via RDP in victim environments.^[2]
		.002	SMB/Windows Admin Shares	Aquatic Panda used remote shares to enable lateral movement in victim environments.^[2]
		.004	SSH	Aquatic Panda used SSH with captured user credentials to move laterally in victim environments.^[2]
Enterprise	T1518	.001	Software Discovery:Security Software Discovery	Aquatic Panda has attempted to discover third party endpoint detection and response (EDR) tools on compromised systems.^[1]
Enterprise	T1218	.011	System Binary Proxy Execution:Rundll32	Aquatic Panda used rundll32.exe to proxy execution of a malicious DLL file identified as a keylogging binary.^[2]
Enterprise	T1082		System Information Discovery	Aquatic Panda has used native OS commands to understand privilege levels and system details.^[1]
Enterprise	T1033		System Owner/User Discovery	Aquatic Panda gathers information on recently logged-in users on victim devices.^[2]
Enterprise	T1007		System Service Discovery	Aquatic Panda has attempted to discover services for third party EDR products.^[1]
Enterprise	T1550	.002	Use Alternate Authentication Material:Pass the Hash	Aquatic Panda used a registry edit to enable a Windows feature called`RestrictedAdmin` in victim environments. This change allowedAquatic Panda to leverage "pass the hash" mechanisms as the alteration allows for RDP connections with a valid account name and hash only, without possessing a cleartext password value.^[2]
Enterprise	T1078	.002	Valid Accounts:Domain Accounts	Aquatic Panda used multiple mechanisms to capture valid user accounts for victim domains to enable lateral movement and access to additional hosts in victim environments.^[2]
Enterprise	T1047		Windows Management Instrumentation	Aquatic Panda used WMI for lateral movement in victim environments.^[2]

Software

ID	Name	References	Techniques
S0154	Cobalt Strike	^[1]	Abuse Elevation Control Mechanism:Sudo and Sudo Caching,Abuse Elevation Control Mechanism:Bypass User Account Control,Access Token Manipulation:Parent PID Spoofing,Access Token Manipulation:Token Impersonation/Theft,Access Token Manipulation:Make and Impersonate Token,Account Discovery:Domain Account,Application Layer Protocol:DNS,Application Layer Protocol:Web Protocols,Application Layer Protocol:File Transfer Protocols,BITS Jobs,Browser Session Hijacking,Command and Scripting Interpreter:JavaScript,Command and Scripting Interpreter:Visual Basic,Command and Scripting Interpreter:PowerShell,Command and Scripting Interpreter:Python,Command and Scripting Interpreter:Windows Command Shell,Create or Modify System Process:Windows Service,Data Encoding:Standard Encoding,Data from Local System,Data Obfuscation:Protocol or Service Impersonation,Data Transfer Size Limits,Deobfuscate/Decode Files or Information,Encrypted Channel:Asymmetric Cryptography,Encrypted Channel:Symmetric Cryptography,Exploitation for Client Execution,Exploitation for Privilege Escalation,File and Directory Discovery,Hide Artifacts:Process Argument Spoofing,Impair Defenses:Disable or Modify Tools,Indicator Removal:Timestomp,Ingress Tool Transfer,Input Capture:Keylogging,Modify Registry,Native API,Network Service Discovery,Network Share Discovery,Non-Application Layer Protocol,Obfuscated Files or Information:Indicator Removal from Tools,Obfuscated Files or Information,Office Application Startup:Office Template Macros,OS Credential Dumping:LSASS Memory,OS Credential Dumping:Security Account Manager,Permission Groups Discovery:Domain Groups,Permission Groups Discovery:Local Groups,Process Discovery,Process Injection:Dynamic-link Library Injection,Process Injection:Process Hollowing,Process Injection,Protocol Tunneling,Proxy:Domain Fronting,Proxy:Internal Proxy,Query Registry,Reflective Code Loading,Remote Services:Remote Desktop Protocol,Remote Services:SSH,Remote Services:Windows Remote Management,Remote Services:SMB/Windows Admin Shares,Remote Services:Distributed Component Object Model,Remote System Discovery,Scheduled Transfer,Screen Capture,Software Discovery,Subvert Trust Controls:Code Signing,System Binary Proxy Execution:Rundll32,System Network Configuration Discovery,System Network Connections Discovery,System Service Discovery,System Services:Service Execution,Use Alternate Authentication Material:Pass the Hash,Valid Accounts:Domain Accounts,Valid Accounts:Local Accounts,Windows Management Instrumentation
S0385	njRAT	^[1]	Application Layer Protocol:Web Protocols,Application Window Discovery,Boot or Logon Autostart Execution:Registry Run Keys / Startup Folder,Command and Scripting Interpreter:PowerShell,Command and Scripting Interpreter:Windows Command Shell,Credentials from Password Stores:Credentials from Web Browsers,Data Encoding:Standard Encoding,Data from Local System,Dynamic Resolution:Fast Flux DNS,Exfiltration Over C2 Channel,File and Directory Discovery,Impair Defenses:Disable or Modify System Firewall,Indicator Removal:File Deletion,Indicator Removal:Clear Persistence,Ingress Tool Transfer,Input Capture:Keylogging,Modify Registry,Native API,Non-Standard Port,Obfuscated Files or Information:Encrypted/Encoded File,Obfuscated Files or Information:Compile After Delivery,Peripheral Device Discovery,Process Discovery,Query Registry,Remote Services:Remote Desktop Protocol,Remote System Discovery,Replication Through Removable Media,Screen Capture,System Information Discovery,System Owner/User Discovery,Video Capture
S0596	ShadowPad	Aquatic Panda usedShadowPad as a remote access tool to victim environments.^[2]	Application Layer Protocol:DNS,Application Layer Protocol:File Transfer Protocols,Application Layer Protocol:Web Protocols,Data Encoding:Non-Standard Encoding,Deobfuscate/Decode Files or Information,Dynamic Resolution:Domain Generation Algorithms,Indicator Removal,Ingress Tool Transfer,Local Storage Discovery,Modify Registry,Non-Application Layer Protocol,Obfuscated Files or Information:Fileless Storage,Obfuscated Files or Information,Process Discovery,Process Injection,Process Injection:Dynamic-link Library Injection,Scheduled Transfer,System Information Discovery,System Network Configuration Discovery,System Owner/User Discovery,System Time Discovery
S0645	Wevtutil	Aquatic Panda usesWevtutil to extract Windows security event log data from victim machines.^[2]	Data from Local System,Impair Defenses:Disable Windows Event Logging,Indicator Removal:Clear Windows Event Logs
S0430	Winnti for Linux	Aquatic Panda usedWinnti for Linux for access to victim Linux hosts during intrusions^[2].	Application Layer Protocol:Web Protocols,Deobfuscate/Decode Files or Information,Encrypted Channel:Symmetric Cryptography,Ingress Tool Transfer,Non-Application Layer Protocol,Obfuscated Files or Information:Encrypted/Encoded File,Rootkit,Traffic Signaling
S0141	Winnti for Windows	Aquatic Panda usedWinnti for Windows for persistent access to Windows victims.^[2]	Abuse Elevation Control Mechanism:Bypass User Account Control,Application Layer Protocol:Web Protocols,Boot or Logon Autostart Execution:Registry Run Keys / Startup Folder,Create or Modify System Process:Windows Service,Deobfuscate/Decode Files or Information,Encrypted Channel:Symmetric Cryptography,Execution Guardrails:Environmental Keying,File and Directory Discovery,Indicator Removal:File Deletion,Indicator Removal:Timestomp,Ingress Tool Transfer,Masquerading:Match Legitimate Resource Name or Location,Native API,Non-Application Layer Protocol,Obfuscated Files or Information:Compression,Obfuscated Files or Information:Encrypted/Encoded File,Process Discovery,Proxy:External Proxy,Proxy:Internal Proxy,System Binary Proxy Execution:Rundll32,System Information Discovery,System Services:Service Execution

References

Wiley, B. et al. (2021, December 29). OverWatch Exposes AQUATIC PANDA in Possession of Log4Shell Exploit Tools During Hands-on Intrusion Attempt. Retrieved January 18, 2022.

CrowdStrike. (2023). 2022 Falcon OverWatch Threat Hunting Report. Retrieved May 20, 2024.

Movatterモバイル変換

Aquatic Panda

Enterprise Layer

Techniques Used

Software

References