1. Home
  2. Groups
  3. Aquatic Panda

Aquatic Panda

Aquatic Panda is a suspected China-based threat group with a dual mission of intelligence collection and industrial espionage. Active since at least May 2020, Aquatic Panda has primarily targeted entities in the telecommunications, technology, and government sectors.[1]

ID: G0143
Contributors: NST Assure Research Team, NetSentries Technologies; Pooja Natarajan, NEC Corporation India; Hiroki Nagahama, NEC Corporation; Manikantan Srinivasan, NEC Corporation India; Jai Minton, CrowdStrike; Jennifer Kim Roman, CrowdStrike
Version: 2.0
Created: 18 January 2022
Last Modified: 10 October 2024
Version Permalink
Enterprise Layer
download view

Techniques Used

Domain ID Name Use
Enterprise T1087 Account Discovery

Aquatic Panda used the last command in Linux environments to identify recently logged-in users on victim machines.[2]
Enterprise T1595 .002 Active Scanning: Vulnerability Scanning

Aquatic Panda has used publicly accessible DNS logging services to identify servers vulnerable to Log4j (CVE 2021-44228).[1]
Enterprise T1560 .001 Archive Collected Data: Archive via Utility

Aquatic Panda has used several publicly available tools, including WinRAR and 7zip, to compress collected files and memory dumps prior to exfiltration.[1][2]
Enterprise T1059 .001 Command and Scripting Interpreter: PowerShell

Aquatic Panda has downloaded additional scripts and executed Base64 encoded commands in PowerShell.[1]
.003 Command and Scripting Interpreter: Windows Command Shell

Aquatic Panda has attempted and failed to run Bash commands on a Windows host by passing them to cmd /C.[1]
.004 Command and Scripting Interpreter: Unix Shell

Aquatic Panda used malicious shell scripts in Linux environments following access via SSH to install Linux versions of Winnti malware.[2]
Enterprise T1543 .003 Create or Modify System Process: Windows Service

Aquatic Panda created new Windows services for persistence that masqueraded as legitimate Windows services via name change.[2]
Enterprise T1005 Data from Local System

Aquatic Panda captured local Windows security event log data from victim machines using the wevtutil utility to extract contents to an evtx output file.[2]
Enterprise T1574 .001 Hijack Execution Flow: DLL Search Order Hijacking

Aquatic Panda has used DLL search-order hijacking to load exe, dll, and dat files into memory.[1] Aquatic Panda loaded a malicious DLL into the legitimate Windows Security Health Service executable (SecurityHealthService.exe) to execute malicious code on victim systems.[2]
.006 Hijack Execution Flow: Dynamic Linker Hijacking

Aquatic Panda modified the ld.so preload file in Linux environments to enable persistence for Winnti malware.[2]
Enterprise T1562 .001 Impair Defenses: Disable or Modify Tools

Aquatic Panda has attempted to stop endpoint detection and response (EDR) tools on compromised systems.[1]
Enterprise T1070 .001 Indicator Removal: Clear Windows Event Logs

Aquatic Panda clears Windows Event Logs following activity to evade defenses.[2]
.003 Indicator Removal: Clear Command History

Aquatic Panda cleared command history in Linux environments to remove traces of activity after operations.[2]
.004 Indicator Removal: File Deletion

Aquatic Panda has deleted malicious executables from compromised machines.[1][2]
Enterprise T1105 Ingress Tool Transfer

Aquatic Panda has downloaded additional malware onto compromised hosts.[1]
Enterprise T1654 Log Enumeration

Aquatic Panda enumerated logs related to authentication in Linux environments prior to deleting selective entries for defense evasion purposes.[2]
Enterprise T1036 .004 Masquerading: Masquerade Task or Service

Aquatic Panda created new, malicious services using names such as Windows User Service to attempt to blend in with legitimate items on victim systems.[2]
.005 Masquerading: Match Legitimate Name or Location

Aquatic Panda renamed or moved malicious binaries to legitimate locations to evade defenses and blend into victim environments.[2]
Enterprise T1112 Modify Registry

Aquatic Panda modified the victim registry to enable the RestrictedAdmin mode feature, allowing for pass the hash behaviors to function via RDP.[2]
Enterprise T1027 .010 Obfuscated Files or Information: Command Obfuscation

Aquatic Panda has encoded PowerShell commands in Base64.[1]
Enterprise T1588 .001 Obtain Capabilities: Malware

Aquatic Panda has acquired and used njRAT in its operations.[1]
.002 Obtain Capabilities: Tool

Aquatic Panda has acquired and used Cobalt Strike in its operations.[1]
Enterprise T1003 .001 OS Credential Dumping: LSASS Memory

Aquatic Panda has attempted to harvest credentials through LSASS memory dumping.[1]
Enterprise T1021 Remote Services

Aquatic Panda used remote scheduled tasks to install malicious software on victim systems during lateral movement actions.[2]
.001 Remote Desktop Protocol

Aquatic Panda leveraged stolen credentials to move laterally via RDP in victim environments.[2]
.002 SMB/Windows Admin Shares

Aquatic Panda used remote shares to enable lateral movement in victim environments.[2]
.004 SSH

Aquatic Panda used SSH with captured user credentials to move laterally in victim environments.[2]
Enterprise T1518 .001 Software Discovery: Security Software Discovery

Aquatic Panda has attempted to discover third party endpoint detection and response (EDR) tools on compromised systems.[1]
Enterprise T1218 .011 System Binary Proxy Execution: Rundll32

Aquatic Panda used rundll32.exe to proxy execution of a malicious DLL file identified as a keylogging binary.[2]
Enterprise T1082 System Information Discovery

Aquatic Panda has used native OS commands to understand privilege levels and system details.[1]
Enterprise T1033 System Owner/User Discovery

Aquatic Panda gathers information on recently logged-in users on victim devices.[2]
Enterprise T1007 System Service Discovery

Aquatic Panda has attempted to discover services for third party EDR products.[1]
Enterprise T1550 .002 Use Alternate Authentication Material: Pass the Hash

Aquatic Panda used a registry edit to enable a Windows feature called RestrictedAdmin in victim environments. This change allowed Aquatic Panda to leverage "pass the hash" mechanisms as the alteration allows for RDP connections with a valid account name and hash only, without possessing a cleartext password value.[2]
Enterprise T1078 .002 Valid Accounts: Domain Accounts

Aquatic Panda used multiple mechanisms to capture valid user accounts for victim domains to enable lateral movement and access to additional hosts in victim environments.[2]
Enterprise T1047 Windows Management Instrumentation

Aquatic Panda used WMI for lateral movement in victim environments.[2]

Software

ID Name References Techniques
S0154 Cobalt Strike [1] Abuse Elevation Control Mechanism: Sudo and Sudo Caching, Abuse Elevation Control Mechanism: Bypass User Account Control, Access Token Manipulation: Parent PID Spoofing, Access Token Manipulation: Token Impersonation/Theft, Access Token Manipulation: Make and Impersonate Token, Account Discovery: Domain Account, Application Layer Protocol: DNS, Application Layer Protocol: Web Protocols, Application Layer Protocol: File Transfer Protocols, BITS Jobs, Browser Session Hijacking, Command and Scripting Interpreter: JavaScript, Command and Scripting Interpreter: Visual Basic, Command and Scripting Interpreter: PowerShell, Command and Scripting Interpreter: Python, Command and Scripting Interpreter: Windows Command Shell, Create or Modify System Process: Windows Service, Data Encoding: Standard Encoding, Data from Local System, Data Obfuscation: Protocol or Service Impersonation, Data Transfer Size Limits, Deobfuscate/Decode Files or Information, Encrypted Channel: Asymmetric Cryptography, Encrypted Channel: Symmetric Cryptography, Exploitation for Client Execution, Exploitation for Privilege Escalation, File and Directory Discovery, Hide Artifacts: Process Argument Spoofing, Impair Defenses: Disable or Modify Tools, Indicator Removal: Timestomp, Ingress Tool Transfer, Input Capture: Keylogging, Modify Registry, Native API, Network Service Discovery, Network Share Discovery, Non-Application Layer Protocol, Obfuscated Files or Information: Indicator Removal from Tools, Obfuscated Files or Information, Office Application Startup: Office Template Macros, OS Credential Dumping: LSASS Memory, OS Credential Dumping: Security Account Manager, Permission Groups Discovery: Domain Groups, Permission Groups Discovery: Local Groups, Process Discovery, Process Injection: Dynamic-link Library Injection, Process Injection: Process Hollowing, Process Injection, Protocol Tunneling, Proxy: Domain Fronting, Proxy: Internal Proxy, Query Registry, Reflective Code Loading, Remote Services: Remote Desktop Protocol, Remote Services: SSH, Remote Services: Windows Remote Management, Remote Services: SMB/Windows Admin Shares, Remote Services: Distributed Component Object Model, Remote System Discovery, Scheduled Transfer, Screen Capture, Software Discovery, Subvert Trust Controls: Code Signing, System Binary Proxy Execution: Rundll32, System Network Configuration Discovery, System Network Connections Discovery, System Service Discovery, System Services: Service Execution, Use Alternate Authentication Material: Pass the Hash, Valid Accounts: Domain Accounts, Valid Accounts: Local Accounts, Windows Management Instrumentation
S0385 njRAT [1] Application Layer Protocol: Web Protocols, Application Window Discovery, Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder, Command and Scripting Interpreter: PowerShell, Command and Scripting Interpreter: Windows Command Shell, Credentials from Password Stores: Credentials from Web Browsers, Data Encoding: Standard Encoding, Data from Local System, Dynamic Resolution: Fast Flux DNS, Exfiltration Over C2 Channel, File and Directory Discovery, Impair Defenses: Disable or Modify System Firewall, Indicator Removal: File Deletion, Indicator Removal: Clear Persistence, Ingress Tool Transfer, Input Capture: Keylogging, Modify Registry, Native API, Non-Standard Port, Obfuscated Files or Information: Encrypted/Encoded File, Obfuscated Files or Information: Compile After Delivery, Peripheral Device Discovery, Process Discovery, Query Registry, Remote Services: Remote Desktop Protocol, Remote System Discovery, Replication Through Removable Media, Screen Capture, System Information Discovery, System Owner/User Discovery, Video Capture
S0596 ShadowPad Aquatic Panda used ShadowPad as a remote access tool to victim environments.[2] Application Layer Protocol: DNS, Application Layer Protocol: File Transfer Protocols, Application Layer Protocol: Web Protocols, Data Encoding: Non-Standard Encoding, Deobfuscate/Decode Files or Information, Dynamic Resolution: Domain Generation Algorithms, Indicator Removal, Ingress Tool Transfer, Modify Registry, Non-Application Layer Protocol, Obfuscated Files or Information: Fileless Storage, Obfuscated Files or Information, Process Discovery, Process Injection, Process Injection: Dynamic-link Library Injection, Scheduled Transfer, System Information Discovery, System Network Configuration Discovery, System Owner/User Discovery, System Time Discovery
S0645 Wevtutil Aquatic Panda uses Wevtutil to extract Windows security event log data from victim machines.[2] Data from Local System, Impair Defenses: Disable Windows Event Logging, Indicator Removal: Clear Windows Event Logs
S0430 Winnti for Linux Aquatic Panda used Winnti for Linux for access to victim Linux hosts during intrusions[2]. Application Layer Protocol: Web Protocols, Deobfuscate/Decode Files or Information, Encrypted Channel: Symmetric Cryptography, Ingress Tool Transfer, Non-Application Layer Protocol, Obfuscated Files or Information: Encrypted/Encoded File, Rootkit, Traffic Signaling
S0141 Winnti for Windows Aquatic Panda used Winnti for Windows for persistent access to Windows victims.[2] Abuse Elevation Control Mechanism: Bypass User Account Control, Application Layer Protocol: Web Protocols, Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder, Create or Modify System Process: Windows Service, Deobfuscate/Decode Files or Information, Encrypted Channel: Symmetric Cryptography, Execution Guardrails: Environmental Keying, File and Directory Discovery, Indicator Removal: File Deletion, Indicator Removal: Timestomp, Ingress Tool Transfer, Masquerading: Match Legitimate Name or Location, Native API, Non-Application Layer Protocol, Obfuscated Files or Information: Encrypted/Encoded File, Process Discovery, Proxy: External Proxy, Proxy: Internal Proxy, System Binary Proxy Execution: Rundll32, System Information Discovery, System Services: Service Execution

References

  1. Wiley, B. et al. (2021, December 29). OverWatch Exposes AQUATIC PANDA in Possession of Log4Shell Exploit Tools During Hands-on Intrusion Attempt. Retrieved January 18, 2022.
  1. CrowdStrike. (2023). 2022 Falcon OverWatch Threat Hunting Report. Retrieved May 20, 2024.