1. Home
  2. Groups
  3. Deep Panda

Deep Panda

Deep Panda is a suspected Chinese threat group known to target many industries, including government, defense, financial, and telecommunications. [1] The intrusion into healthcare company Anthem has been attributed to Deep Panda. [2] This group is also known as Shell Crew, WebMasters, KungFu Kittens, and PinkPanther. [3] Deep Panda also appears to be known as Black Vine based on the attribution of both group names to the Anthem intrusion. [4] Some analysts track Deep Panda and APT19 as the same group, but it is unclear from open source information if the groups are the same. [5]

ID: G0009
Associated Groups: Shell Crew, WebMasters, KungFu Kittens, PinkPanther, Black Vine
Contributors: Andrew Smith, @jakx_
Version: 1.2
Created: 31 May 2017
Last Modified: 09 February 2021

Associated Group Descriptions

Name Description
Shell Crew

[3]
WebMasters

[3]
KungFu Kittens

[3]
PinkPanther

[3]
Black Vine

[4]
Enterprise Layer
download view

Techniques Used

Domain ID Name Use
Enterprise T1059 .001 Command and Scripting Interpreter: PowerShell

Deep Panda has used PowerShell scripts to download and execute programs in memory, without writing to disk.[1]
Enterprise T1546 .008 Event Triggered Execution: Accessibility Features

Deep Panda has used the sticky-keys technique to bypass the RDP login screen on remote systems during intrusions.[3]
Enterprise T1564 .003 Hide Artifacts: Hidden Window

Deep Panda has used -w hidden to conceal PowerShell windows by setting the WindowStyle parameter to hidden. [1]
Enterprise T1027 .005 Obfuscated Files or Information: Indicator Removal from Tools

Deep Panda has updated and modified its malware, resulting in different hash values that evade detection.[4]
Enterprise T1057 Process Discovery

Deep Panda uses the Microsoft Tasklist utility to list processes running on systems.[1]
Enterprise T1021 .002 Remote Services: SMB/Windows Admin Shares

Deep Panda uses net.exe to connect to network shares using net use commands with compromised credentials.[1]
Enterprise T1018 Remote System Discovery

Deep Panda has used ping to identify other machines of interest.[1]
Enterprise T1505 .003 Server Software Component: Web Shell

Deep Panda uses Web shells on publicly accessible Web servers to access victim networks.[6]
Enterprise T1218 .010 System Binary Proxy Execution: Regsvr32

Deep Panda has used regsvr32.exe to execute a server variant of Derusbi in victim networks.[3]
Enterprise T1047 Windows Management Instrumentation

The Deep Panda group is known to utilize WMI for lateral movement.[1]

Software

ID Name References Techniques
S0021 Derusbi [2] Audio Capture, Command and Scripting Interpreter: Unix Shell, Commonly Used Port, Encrypted Channel: Symmetric Cryptography, Fallback Channels, File and Directory Discovery, Indicator Removal on Host: File Deletion, Indicator Removal on Host: Timestomp, Input Capture: Keylogging, Non-Application Layer Protocol, Non-Standard Port, Process Discovery, Process Injection: Dynamic-link Library Injection, Query Registry, Screen Capture, System Binary Proxy Execution: Regsvr32, System Information Discovery, System Owner/User Discovery, Video Capture
S0080 Mivast [4] Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder, Command and Scripting Interpreter: Windows Command Shell, Commonly Used Port, Ingress Tool Transfer, OS Credential Dumping: Security Account Manager
S0039 Net [1] Account Discovery: Domain Account, Account Discovery: Local Account, Create Account: Domain Account, Create Account: Local Account, Indicator Removal on Host: Network Share Connection Removal, Network Share Discovery, Password Policy Discovery, Permission Groups Discovery: Domain Groups, Permission Groups Discovery: Local Groups, Remote Services: SMB/Windows Admin Shares, Remote System Discovery, System Network Connections Discovery, System Service Discovery, System Services: Service Execution, System Time Discovery
S0097 Ping [1] Remote System Discovery
S0074 Sakula [2] Abuse Elevation Control Mechanism: Bypass User Account Control, Application Layer Protocol: Web Protocols, Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder, Command and Scripting Interpreter: Windows Command Shell, Create or Modify System Process: Windows Service, Encrypted Channel: Symmetric Cryptography, Hijack Execution Flow: DLL Side-Loading, Indicator Removal on Host: File Deletion, Ingress Tool Transfer, Obfuscated Files or Information, System Binary Proxy Execution: Rundll32
S0142 StreamEx [7] Command and Scripting Interpreter: Windows Command Shell, Create or Modify System Process: Windows Service, File and Directory Discovery, Modify Registry, Obfuscated Files or Information, Process Discovery, Software Discovery: Security Software Discovery, System Binary Proxy Execution: Rundll32, System Information Discovery
S0057 Tasklist [1] Process Discovery, Software Discovery: Security Software Discovery, System Service Discovery

References

  1. Alperovitch, D. (2014, July 7). Deep in Thought: Chinese Targeting of National Security Think Tanks. Retrieved November 12, 2014.
  2. ThreatConnect Research Team. (2015, February 27). The Anthem Hack: All Roads Lead to China. Retrieved January 26, 2016.
  3. RSA Incident Response. (2014, January). RSA Incident Response Emerging Threat Profile: Shell Crew. Retrieved January 14, 2016.
  4. DiMaggio, J.. (2015, August 6). The Black Vine cyberespionage group. Retrieved January 26, 2016.
  1. Scott, J. and Spaniel, D. (2016, July 28). ICIT Brief - China’s Espionage Dynasty: Economic Death by a Thousand Cuts. Retrieved June 7, 2018.
  2. RYANJ. (2014, February 20). Mo’ Shells Mo’ Problems – Deep Panda Web Shells. Retrieved September 16, 2015.
  3. Cylance SPEAR Team. (2017, February 9). Shell Crew Variants Continue to Fly Under Big AV’s Radar. Retrieved February 15, 2017.