Deep Panda

Deep Panda is a suspected Chinese threat group known to target many industries, including government, defense, financial, and telecommunications. [1] The intrusion into healthcare company Anthem has been attributed to Deep Panda. [2] This group is also known as Shell Crew, WebMasters, KungFu Kittens, and PinkPanther. [3] Deep Panda also appears to be known as Black Vine based on the attribution of both group names to the Anthem intrusion. [4] Some analysts track Deep Panda and APT19 as the same group, but it is unclear from open source information if the groups are the same. [5]

ID: G0009
Contributors: Andrew Smith, @jakx_

Version: 1.0

Associated Group Descriptions

Shell Crew[3]
KungFu Kittens[3]
Black Vine[4]

Techniques Used

EnterpriseT1015Accessibility FeaturesDeep Panda has used the sticky-keys technique to bypass the RDP login screen on remote systems during intrusions.[3]
EnterpriseT1066Indicator Removal from ToolsDeep Panda has updated and modified its malware, resulting in different hash values that evade detection.[4]
EnterpriseT1086PowerShellDeep Panda has used PowerShell scripts to download and execute programs in memory, without writing to disk.[1]
EnterpriseT1057Process DiscoveryDeep Panda uses the Microsoft Tasklist utility to list processes running on systems.[1]
EnterpriseT1117Regsvr32Deep Panda has used regsvr32.exe to execute a server variant of Derusbi in victim networks.[3]
EnterpriseT1018Remote System DiscoveryDeep Panda has used ping to identify other machines of interest.[1]
EnterpriseT1064ScriptingDeep Panda has used PowerShell scripts to download and execute programs in memory, without writing to disk.[1]
EnterpriseT1100Web ShellDeep Panda uses Web shells on publicly accessible Web servers to access victim networks.[6]
EnterpriseT1077Windows Admin SharesDeep Panda uses net.exe to connect to network shares using net use commands with compromised credentials.[1]
EnterpriseT1047Windows Management InstrumentationThe Deep Panda group is known to utilize WMI for lateral movement.[1]


S0021Derusbi[2]Audio Capture, Command-Line Interface, Commonly Used Port, Custom Command and Control Protocol, Custom Cryptographic Protocol, Fallback Channels, File and Directory Discovery, File Deletion, Input Capture, Process Discovery, Process Injection, Query Registry, Regsvr32, Screen Capture, Standard Non-Application Layer Protocol, System Information Discovery, System Owner/User Discovery, Timestomp, Video Capture
S0080Mivast[4]Command-Line Interface, Commonly Used Port, Credential Dumping, Registry Run Keys / Startup Folder, Remote File Copy
S0039Net[1]Account Discovery, Create Account, Network Share Connection Removal, Network Share Discovery, Password Policy Discovery, Permission Groups Discovery, Remote System Discovery, Service Execution, System Network Connections Discovery, System Service Discovery, System Time Discovery, Windows Admin Shares
S0097Ping[1]Remote System Discovery
S0074Sakula[2]Bypass User Account Control, Command-Line Interface, Custom Cryptographic Protocol, DLL Side-Loading, File Deletion, New Service, Obfuscated Files or Information, Registry Run Keys / Startup Folder, Remote File Copy, Rundll32, Standard Application Layer Protocol
S0142StreamEx[7]Command-Line Interface, File and Directory Discovery, Modify Registry, New Service, Obfuscated Files or Information, Process Discovery, Rundll32, Security Software Discovery, System Information Discovery
S0057Tasklist[1]Process Discovery, Security Software Discovery, System Service Discovery