Aquatic Panda

Aquatic Panda is a suspected China-based threat group with a dual mission of intelligence collection and industrial espionage. Active since at least May 2020, Aquatic Panda has primarily targeted entities in the telecommunications, technology, and government sectors.[1]

ID: G0143
Contributors: NST Assure Research Team, NetSentries Technologies; Pooja Natarajan, NEC Corporation India; Hiroki Nagahama, NEC Corporation; Manikantan Srinivasan, NEC Corporation India
Version: 1.0
Created: 18 January 2022
Last Modified: 21 April 2022

Techniques Used

Domain ID Name Use
Enterprise T1595 .002 Active Scanning: Vulnerability Scanning

Aquatic Panda has used publicly accessible DNS logging services to identify servers vulnerable to Log4j (CVE 2021-44228).[1]

Enterprise T1560 .001 Archive Collected Data: Archive via Utility

Aquatic Panda has used WinRAR to compress memory dumps prior to exfiltration.[1]

Enterprise T1059 .001 Command and Scripting Interpreter: PowerShell

Aquatic Panda has downloaded additional scripts and executed Base64 encoded commands in PowerShell.[1]

.003 Command and Scripting Interpreter: Windows Command Shell

Aquatic Panda has attempted and failed to run Bash commands on a Windows host by passing them to cmd /C.[1]

Enterprise T1574 .001 Hijack Execution Flow: DLL Search Order Hijacking

Aquatic Panda has used DLL search-order hijacking to load exe, dll, and dat files into memory.[1]

Enterprise T1562 .001 Impair Defenses: Disable or Modify Tools

Aquatic Panda has attempted to stop endpoint detection and response (EDR) tools on compromised systems.[1]

Enterprise T1070 .004 Indicator Removal on Host: File Deletion

Aquatic Panda has deleted malicious executables from compromised machines.[1]

Enterprise T1105 Ingress Tool Transfer

Aquatic Panda has downloaded additional malware onto compromised hosts.[1]

Enterprise T1027 Obfuscated Files or Information

Aquatic Panda has encoded commands in Base64.[1]

Enterprise T1588 .001 Obtain Capabilities: Malware

Aquatic Panda has acquired and used njRAT in its operations.[1]

.002 Obtain Capabilities: Tool

Aquatic Panda has acquired and used Cobalt Strike in its operations.[1]

Enterprise T1003 .001 OS Credential Dumping: LSASS Memory

Aquatic Panda has attempted to harvest credentials through LSASS memory dumping.[1]

Enterprise T1518 .001 Software Discovery: Security Software Discovery

Aquatic Panda has attempted to discover third party endpoint detection and response (EDR) tools on compromised systems.[1]

Enterprise T1082 System Information Discovery

Aquatic Panda has used native OS commands to understand privilege levels and system details.[1]

Enterprise T1007 System Service Discovery

Aquatic Panda has attempted to discover services for third party EDR products.[1]

Software

ID Name References Techniques
S0154 Cobalt Strike [1] Abuse Elevation Control Mechanism: Bypass User Account Control, Abuse Elevation Control Mechanism: Sudo and Sudo Caching, Access Token Manipulation: Make and Impersonate Token, Access Token Manipulation: Parent PID Spoofing, Access Token Manipulation: Token Impersonation/Theft, Account Discovery: Domain Account, Application Layer Protocol, Application Layer Protocol: DNS, Application Layer Protocol: Web Protocols, BITS Jobs, Browser Session Hijacking, Command and Scripting Interpreter: Python, Command and Scripting Interpreter: Visual Basic, Command and Scripting Interpreter: PowerShell, Command and Scripting Interpreter: JavaScript, Command and Scripting Interpreter: Windows Command Shell, Commonly Used Port, Create or Modify System Process: Windows Service, Data Encoding: Standard Encoding, Data from Local System, Data Obfuscation: Protocol Impersonation, Data Transfer Size Limits, Deobfuscate/Decode Files or Information, Encrypted Channel: Symmetric Cryptography, Encrypted Channel: Asymmetric Cryptography, Exploitation for Client Execution, Exploitation for Privilege Escalation, File and Directory Discovery, Hide Artifacts: Process Argument Spoofing, Impair Defenses: Disable or Modify Tools, Indicator Removal on Host: Timestomp, Ingress Tool Transfer, Input Capture: Keylogging, Modify Registry, Multiband Communication, Native API, Network Service Discovery, Network Share Discovery, Non-Application Layer Protocol, Obfuscated Files or Information: Indicator Removal from Tools, Obfuscated Files or Information, Office Application Startup: Office Template Macros, OS Credential Dumping: Security Account Manager, OS Credential Dumping: LSASS Memory, Permission Groups Discovery: Local Groups, Permission Groups Discovery: Domain Groups, Process Discovery, Process Injection: Dynamic-link Library Injection, Process Injection: Process Hollowing, Process Injection, Protocol Tunneling, Proxy: Domain Fronting, Proxy: Internal Proxy, Query Registry, Reflective Code Loading, Remote Services: Windows Remote Management, Remote Services: Remote Desktop Protocol, Remote Services: SMB/Windows Admin Shares, Remote Services: Distributed Component Object Model, Remote Services: SSH, Remote System Discovery, Scheduled Transfer, Screen Capture, Software Discovery, Subvert Trust Controls: Code Signing, System Binary Proxy Execution: Rundll32, System Network Configuration Discovery, System Network Connections Discovery, System Service Discovery, System Services: Service Execution, Use Alternate Authentication Material: Pass the Hash, Valid Accounts: Domain Accounts, Valid Accounts: Local Accounts, Windows Management Instrumentation
S0385 njRAT [1] Application Layer Protocol: Web Protocols, Application Window Discovery, Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder, Command and Scripting Interpreter: Windows Command Shell, Command and Scripting Interpreter: PowerShell, Credentials from Password Stores: Credentials from Web Browsers, Data Encoding: Standard Encoding, Data from Local System, Dynamic Resolution: Fast Flux DNS, Exfiltration Over C2 Channel, File and Directory Discovery, Impair Defenses: Disable or Modify System Firewall, Indicator Removal on Host: File Deletion, Indicator Removal on Host, Ingress Tool Transfer, Input Capture: Keylogging, Modify Registry, Native API, Non-Standard Port, Obfuscated Files or Information, Obfuscated Files or Information: Compile After Delivery, Peripheral Device Discovery, Process Discovery, Query Registry, Remote Services: Remote Desktop Protocol, Remote System Discovery, Replication Through Removable Media, Screen Capture, System Information Discovery, System Owner/User Discovery, Video Capture

References