Deep Panda

Deep Panda is a suspected Chinese threat group known to target many industries, including government, defense, financial, and telecommunications. [1] The intrusion into healthcare company Anthem has been attributed to Deep Panda. [2] This group is also known as Shell Crew, WebMasters, KungFu Kittens, and PinkPanther. [3] Deep Panda also appears to be known as Black Vine based on the attribution of both group names to the Anthem intrusion. [4] Some analysts track Deep Panda and APT19 as the same group, but it is unclear from open source information if the groups are the same. [5]

ID: G0009
Associated Groups: Shell Crew, WebMasters, KungFu Kittens, PinkPanther, Black Vine
Contributors: Andrew Smith, @jakx_
Version: 1.2
Created: 31 May 2017
Last Modified: 09 February 2021

Associated Group Descriptions

Name Description
Shell Crew

[3]

WebMasters

[3]

KungFu Kittens

[3]

PinkPanther

[3]

Black Vine

[4]

Techniques Used

Domain ID Name Use
Enterprise T1059 .001 Command and Scripting Interpreter: PowerShell

Deep Panda has used PowerShell scripts to download and execute programs in memory, without writing to disk.[1]

Enterprise T1546 .008 Event Triggered Execution: Accessibility Features

Deep Panda has used the sticky-keys technique to bypass the RDP login screen on remote systems during intrusions.[3]

Enterprise T1564 .003 Hide Artifacts: Hidden Window

Deep Panda has used -w hidden to conceal PowerShell windows by setting the WindowStyle parameter to hidden. [1]

Enterprise T1027 .005 Obfuscated Files or Information: Indicator Removal from Tools

Deep Panda has updated and modified its malware, resulting in different hash values that evade detection.[4]

Enterprise T1057 Process Discovery

Deep Panda uses the Microsoft Tasklist utility to list processes running on systems.[1]

Enterprise T1021 .002 Remote Services: SMB/Windows Admin Shares

Deep Panda uses net.exe to connect to network shares using net use commands with compromised credentials.[1]

Enterprise T1018 Remote System Discovery

Deep Panda has used ping to identify other machines of interest.[1]

Enterprise T1505 .003 Server Software Component: Web Shell

Deep Panda uses Web shells on publicly accessible Web servers to access victim networks.[6]

Enterprise T1218 .010 Signed Binary Proxy Execution: Regsvr32

Deep Panda has used regsvr32.exe to execute a server variant of Derusbi in victim networks.[3]

Enterprise T1047 Windows Management Instrumentation

The Deep Panda group is known to utilize WMI for lateral movement.[1]

Software

ID Name References Techniques
S0021 Derusbi [2] Audio Capture, Command and Scripting Interpreter: Unix Shell, Commonly Used Port, Encrypted Channel: Symmetric Cryptography, Fallback Channels, File and Directory Discovery, Indicator Removal on Host: Timestomp, Indicator Removal on Host: File Deletion, Input Capture: Keylogging, Non-Application Layer Protocol, Non-Standard Port, Process Discovery, Process Injection: Dynamic-link Library Injection, Query Registry, Screen Capture, Signed Binary Proxy Execution: Regsvr32, System Information Discovery, System Owner/User Discovery, Video Capture
S0080 Mivast [4] Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder, Command and Scripting Interpreter: Windows Command Shell, Commonly Used Port, Ingress Tool Transfer, OS Credential Dumping: Security Account Manager
S0039 Net [1] Account Discovery: Local Account, Account Discovery: Domain Account, Create Account: Local Account, Create Account: Domain Account, Indicator Removal on Host: Network Share Connection Removal, Network Share Discovery, Password Policy Discovery, Permission Groups Discovery: Local Groups, Permission Groups Discovery: Domain Groups, Remote Services: SMB/Windows Admin Shares, Remote System Discovery, System Network Connections Discovery, System Service Discovery, System Services: Service Execution, System Time Discovery
S0097 Ping [1] Remote System Discovery
S0074 Sakula [2] Abuse Elevation Control Mechanism: Bypass User Account Control, Application Layer Protocol: Web Protocols, Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder, Command and Scripting Interpreter: Windows Command Shell, Create or Modify System Process: Windows Service, Encrypted Channel: Symmetric Cryptography, Hijack Execution Flow: DLL Side-Loading, Indicator Removal on Host: File Deletion, Ingress Tool Transfer, Obfuscated Files or Information, Signed Binary Proxy Execution: Rundll32
S0142 StreamEx [7] Command and Scripting Interpreter: Windows Command Shell, Create or Modify System Process: Windows Service, File and Directory Discovery, Modify Registry, Obfuscated Files or Information, Process Discovery, Signed Binary Proxy Execution: Rundll32, Software Discovery: Security Software Discovery, System Information Discovery
S0057 Tasklist [1] Process Discovery, Software Discovery: Security Software Discovery, System Service Discovery

References