Deep Panda is a suspected Chinese threat group known to target many industries, including government, defense, financial, and telecommunications. [1] The intrusion into healthcare company Anthem has been attributed to Deep Panda. [2] This group is also known as Shell Crew, WebMasters, KungFu Kittens, and PinkPanther. [3] Deep Panda also appears to be known as Black Vine based on the attribution of both group names to the Anthem intrusion. [4] Some analysts track Deep Panda and APT19 as the same group, but it is unclear from open source information if the groups are the same. [5]
Name | Description |
---|---|
Shell Crew | |
WebMasters | |
KungFu Kittens | |
PinkPanther | |
Black Vine |
Domain | ID | Name | Use | |
---|---|---|---|---|
Enterprise | T1059 | .001 | Command and Scripting Interpreter: PowerShell |
Deep Panda has used PowerShell scripts to download and execute programs in memory, without writing to disk.[1] |
Enterprise | T1546 | .008 | Event Triggered Execution: Accessibility Features |
Deep Panda has used the sticky-keys technique to bypass the RDP login screen on remote systems during intrusions.[3] |
Enterprise | T1564 | .003 | Hide Artifacts: Hidden Window |
Deep Panda has used |
Enterprise | T1027 | .005 | Obfuscated Files or Information: Indicator Removal from Tools |
Deep Panda has updated and modified its malware, resulting in different hash values that evade detection.[4] |
Enterprise | T1057 | Process Discovery |
Deep Panda uses the Microsoft Tasklist utility to list processes running on systems.[1] |
|
Enterprise | T1021 | .002 | Remote Services: SMB/Windows Admin Shares |
Deep Panda uses net.exe to connect to network shares using |
Enterprise | T1018 | Remote System Discovery |
Deep Panda has used ping to identify other machines of interest.[1] |
|
Enterprise | T1505 | .003 | Server Software Component: Web Shell |
Deep Panda uses Web shells on publicly accessible Web servers to access victim networks.[6] |
Enterprise | T1218 | .010 | Signed Binary Proxy Execution: Regsvr32 |
Deep Panda has used regsvr32.exe to execute a server variant of Derusbi in victim networks.[3] |
Enterprise | T1047 | Windows Management Instrumentation |
The Deep Panda group is known to utilize WMI for lateral movement.[1] |