Skip to content

G0009 Deep Panda

Deep Panda is a suspected Chinese threat group known to target many industries, including government, defense, financial, and telecommunications. 1 The intrusion into healthcare company Anthem has been attributed to Deep Panda. 5 This group is also known as Shell Crew, WebMasters, KungFu Kittens, and PinkPanther. 3 Deep Panda also appears to be known as Black Vine based on the attribution of both group names to the Anthem intrusion. 2 Some analysts track Deep Panda and APT19 as the same group, but it is unclear from open source information if the groups are the same. 4

Item Value
ID G0009
Associated Names Shell Crew, WebMasters, KungFu Kittens, PinkPanther, Black Vine
Version 1.2
Created 31 May 2017
Last Modified 20 July 2022
Navigation Layer View In ATT&CK® Navigator

Associated Group Descriptions

Name Description
Shell Crew 3
WebMasters 3
KungFu Kittens 3
PinkPanther 3
Black Vine 2

Techniques Used

Domain ID Name Use
enterprise T1059 Command and Scripting Interpreter -
enterprise T1059.001 PowerShell Deep Panda has used PowerShell scripts to download and execute programs in memory, without writing to disk.1
enterprise T1546 Event Triggered Execution -
enterprise T1546.008 Accessibility Features Deep Panda has used the sticky-keys technique to bypass the RDP login screen on remote systems during intrusions.3
enterprise T1564 Hide Artifacts -
enterprise T1564.003 Hidden Window Deep Panda has used -w hidden to conceal PowerShell windows by setting the WindowStyle parameter to hidden. 1
enterprise T1027 Obfuscated Files or Information -
enterprise T1027.005 Indicator Removal from Tools Deep Panda has updated and modified its malware, resulting in different hash values that evade detection.2
enterprise T1057 Process Discovery Deep Panda uses the Microsoft Tasklist utility to list processes running on systems.1
enterprise T1021 Remote Services -
enterprise T1021.002 SMB/Windows Admin Shares Deep Panda uses net.exe to connect to network shares using net use commands with compromised credentials.1
enterprise T1018 Remote System Discovery Deep Panda has used ping to identify other machines of interest.1
enterprise T1505 Server Software Component -
enterprise T1505.003 Web Shell Deep Panda uses Web shells on publicly accessible Web servers to access victim networks.6
enterprise T1218 System Binary Proxy Execution -
enterprise T1218.010 Regsvr32 Deep Panda has used regsvr32.exe to execute a server variant of Derusbi in victim networks.3
enterprise T1047 Windows Management Instrumentation The Deep Panda group is known to utilize WMI for lateral movement.1

Software

ID Name References Techniques
S0021 Derusbi 5 Audio Capture Unix Shell:Command and Scripting Interpreter Symmetric Cryptography:Encrypted Channel Fallback Channels File and Directory Discovery File Deletion:Indicator Removal Timestomp:Indicator Removal Keylogging:Input Capture Non-Application Layer Protocol Non-Standard Port Process Discovery Dynamic-link Library Injection:Process Injection Query Registry Screen Capture Regsvr32:System Binary Proxy Execution System Information Discovery System Owner/User Discovery Video Capture
S0080 Mivast 2 Registry Run Keys / Startup Folder:Boot or Logon Autostart Execution Windows Command Shell:Command and Scripting Interpreter Ingress Tool Transfer Security Account Manager:OS Credential Dumping
S0039 Net 1 Domain Account:Account Discovery Local Account:Account Discovery Local Account:Create Account Domain Account:Create Account Network Share Connection Removal:Indicator Removal Network Share Discovery Password Policy Discovery Local Groups:Permission Groups Discovery Domain Groups:Permission Groups Discovery SMB/Windows Admin Shares:Remote Services Remote System Discovery System Network Connections Discovery System Service Discovery Service Execution:System Services System Time Discovery
S0097 Ping 1 Remote System Discovery
S0074 Sakula 5 Bypass User Account Control:Abuse Elevation Control Mechanism Web Protocols:Application Layer Protocol Registry Run Keys / Startup Folder:Boot or Logon Autostart Execution Windows Command Shell:Command and Scripting Interpreter Windows Service:Create or Modify System Process Symmetric Cryptography:Encrypted Channel DLL Side-Loading:Hijack Execution Flow File Deletion:Indicator Removal Ingress Tool Transfer Obfuscated Files or Information Rundll32:System Binary Proxy Execution
S0142 StreamEx 7 Windows Command Shell:Command and Scripting Interpreter Windows Service:Create or Modify System Process File and Directory Discovery Modify Registry Obfuscated Files or Information Process Discovery Security Software Discovery:Software Discovery Rundll32:System Binary Proxy Execution System Information Discovery
S0057 Tasklist 1 Process Discovery Security Software Discovery:Software Discovery System Service Discovery

References

  1. Alperovitch, D. (2014, July 7). Deep in Thought: Chinese Targeting of National Security Think Tanks. Retrieved November 12, 2014. 

  2. DiMaggio, J.. (2015, August 6). The Black Vine cyberespionage group. Retrieved January 26, 2016. 

  3. RSA Incident Response. (2014, January). RSA Incident Response Emerging Threat Profile: Shell Crew. Retrieved January 14, 2016. 

  4. Scott, J. and Spaniel, D. (2016, July 28). ICIT Brief - China’s Espionage Dynasty: Economic Death by a Thousand Cuts. Retrieved June 7, 2018. 

  5. ThreatConnect Research Team. (2015, February 27). The Anthem Hack: All Roads Lead to China. Retrieved January 26, 2016. 

  6. RYANJ. (2014, February 20). Mo’ Shells Mo’ Problems – Deep Panda Web Shells. Retrieved September 16, 2015. 

  7. Cylance SPEAR Team. (2017, February 9). Shell Crew Variants Continue to Fly Under Big AV’s Radar. Retrieved February 15, 2017.