Deep Panda

Deep Panda is a suspected Chinese threat group known to target many industries, including government, defense, financial, and telecommunications. ^[1] The intrusion into healthcare company Anthem has been attributed to Deep Panda. ^[2] This group is also known as Shell Crew, WebMasters, KungFu Kittens, and PinkPanther. ^[3] Deep Panda also appears to be known as Black Vine based on the attribution of both group names to the Anthem intrusion. ^[4] Some analysts track Deep Panda and APT19 as the same group, but it is unclear from open source information if the groups are the same. ^[5]

ID: G0009

ⓘ

Associated Groups: Shell Crew, WebMasters, KungFu Kittens, PinkPanther, Black Vine

Contributors: Andrew Smith, @jakx_

Version: 1.2

Created: 31 May 2017

Last Modified: 20 July 2022

Associated Group Descriptions

Name	Description
Shell Crew	^[3]
WebMasters	^[3]
KungFu Kittens	^[3]
PinkPanther	^[3]
Black Vine	^[4]

Techniques Used

Domain	ID		Name	Use
Enterprise	T1047		Windows管理规范	The Deep Panda group is known to utilize WMI for lateral movement.^[1]
Enterprise	T1546	.008	事件触发执行: Accessibility Features	Deep Panda has used the sticky-keys technique to bypass the RDP login screen on remote systems during intrusions.^[3]
Enterprise	T1059	.001	命令与脚本解释器: PowerShell	Deep Panda has used PowerShell scripts to download and execute programs in memory, without writing to disk.^[1]
Enterprise	T1505	.003	服务器软件组件: Web Shell	Deep Panda uses Web shells on publicly accessible Web servers to access victim networks.^[6]
Enterprise	T1027	.005	混淆文件或信息: Indicator Removal from Tools	Deep Panda has updated and modified its malware, resulting in different hash values that evade detection.^[4]
Enterprise	T1218	.010	系统二进制代理执行: Regsvr32	Deep Panda has used regsvr32.exe to execute a server variant of Derusbi in victim networks.^[3]
Enterprise	T1057		进程发现	Deep Panda uses the Microsoft Tasklist utility to list processes running on systems.^[1]
Enterprise	T1021	.002	远程服务: SMB/Windows Admin Shares	Deep Panda uses net.exe to connect to network shares using `net use` commands with compromised credentials.^[1]
Enterprise	T1018		远程系统发现	Deep Panda has used ping to identify other machines of interest.^[1]
Enterprise	T1564	.003	隐藏伪装: Hidden Window	Deep Panda has used `-w hidden` to conceal PowerShell windows by setting the WindowStyle parameter to hidden. ^[1]

Software

ID	Name	References	Techniques
S0021	Derusbi	^[2]	加密通道: Symmetric Cryptography, 命令与脚本解释器: Unix Shell, 回退信道, 屏幕捕获, 文件和目录发现, 查询注册表, 移除指标: Timestomp, 移除指标: File Deletion, 系统二进制代理执行: Regsvr32, 系统信息发现, 系统所有者/用户发现, 视频捕获, 输入捕获: Keylogging, 进程发现, 进程注入: Dynamic-link Library Injection, 非应用层协议, 非标准端口, 音频捕获
S0080	Mivast	^[4]	启动或登录自动启动执行: Registry Run Keys / Startup Folder, 命令与脚本解释器: Windows Command Shell, 操作系统凭证转储: Security Account Manager, 输入工具传输
S0039	Net	^[1]	创建账户: Local Account, 创建账户: Domain Account, 密码策略发现, 权限组发现: Domain Groups, 权限组发现: Local Groups, 移除指标: Network Share Connection Removal, 系统时间发现, 系统服务: Service Execution, 系统服务发现, 系统网络连接发现, 网络共享发现, 账号发现: Domain Account, 账号发现: Local Account, 账号操控: Additional Local or Domain Groups, 远程服务: SMB/Windows Admin Shares, 远程系统发现
S0097	Ping	^[1]	远程系统发现
S0074	Sakula	^[2]	创建或修改系统进程: Windows Service, 加密通道: Symmetric Cryptography, 劫持执行流: DLL Side-Loading, 启动或登录自动启动执行: Registry Run Keys / Startup Folder, 命令与脚本解释器: Windows Command Shell, 应用层协议: Web Protocols, 混淆文件或信息: Encrypted/Encoded File, 滥用权限提升控制机制: Bypass User Account Control, 移除指标: File Deletion, 系统二进制代理执行: Rundll32, 输入工具传输
S0142	StreamEx	^[7]	修改注册表, 创建或修改系统进程: Windows Service, 命令与脚本解释器: Windows Command Shell, 文件和目录发现, 混淆文件或信息, 系统二进制代理执行: Rundll32, 系统信息发现, 软件发现: Security Software Discovery, 进程发现
S0057	Tasklist	^[1]	系统服务发现, 软件发现: Security Software Discovery, 进程发现

Deep Panda

Associated Group Descriptions

Enterprise Layer

Techniques Used

Software

References