G0143 Aquatic Panda

Aquatic Panda is a suspected China-based threat group with a dual mission of intelligence collection and industrial espionage. Active since at least May 2020, Aquatic Panda has primarily targeted entities in the telecommunications, technology, and government sectors.¹

Item	Value
ID	G0143
Associated Names
Version	1.1
Created	18 January 2022
Last Modified	21 March 2023
Navigation Layer	View In ATT&CK® Navigator

Techniques Used

Domain	ID	Name	Use
enterprise	T1595	Active Scanning	-
enterprise	T1595.002	Vulnerability Scanning	Aquatic Panda has used publicly accessible DNS logging services to identify servers vulnerable to Log4j (CVE 2021-44228).¹
enterprise	T1560	Archive Collected Data	-
enterprise	T1560.001	Archive via Utility	Aquatic Panda has used WinRAR to compress memory dumps prior to exfiltration.¹
enterprise	T1059	Command and Scripting Interpreter	-
enterprise	T1059.001	PowerShell	Aquatic Panda has downloaded additional scripts and executed Base64 encoded commands in PowerShell.¹
enterprise	T1059.003	Windows Command Shell	Aquatic Panda has attempted and failed to run Bash commands on a Windows host by passing them to `cmd /C`.¹
enterprise	T1574	Hijack Execution Flow	-
enterprise	T1574.001	DLL Search Order Hijacking	Aquatic Panda has used DLL search-order hijacking to load `exe`, `dll`, and `dat` files into memory.¹
enterprise	T1562	Impair Defenses	-
enterprise	T1562.001	Disable or Modify Tools	Aquatic Panda has attempted to stop endpoint detection and response (EDR) tools on compromised systems.¹
enterprise	T1070	Indicator Removal	-
enterprise	T1070.004	File Deletion	Aquatic Panda has deleted malicious executables from compromised machines.¹
enterprise	T1105	Ingress Tool Transfer	Aquatic Panda has downloaded additional malware onto compromised hosts.¹
enterprise	T1027	Obfuscated Files or Information	-
enterprise	T1027.010	Command Obfuscation	Aquatic Panda has encoded PowerShell commands in Base64.¹
enterprise	T1588	Obtain Capabilities	-
enterprise	T1588.001	Malware	Aquatic Panda has acquired and used njRAT in its operations.¹
enterprise	T1588.002	Tool	Aquatic Panda has acquired and used Cobalt Strike in its operations.¹
enterprise	T1003	OS Credential Dumping	-
enterprise	T1003.001	LSASS Memory	Aquatic Panda has attempted to harvest credentials through LSASS memory dumping.¹
enterprise	T1518	Software Discovery	-
enterprise	T1518.001	Security Software Discovery	Aquatic Panda has attempted to discover third party endpoint detection and response (EDR) tools on compromised systems.¹
enterprise	T1082	System Information Discovery	Aquatic Panda has used native OS commands to understand privilege levels and system details.¹
enterprise	T1007	System Service Discovery	Aquatic Panda has attempted to discover services for third party EDR products.¹

Software

ID	Name	References	Techniques
S0154	Cobalt Strike	¹	Sudo and Sudo Caching:Abuse Elevation Control Mechanism Bypass User Account Control:Abuse Elevation Control Mechanism Token Impersonation/Theft:Access Token Manipulation Make and Impersonate Token:Access Token Manipulation Parent PID Spoofing:Access Token Manipulation Domain Account:Account Discovery Web Protocols:Application Layer Protocol DNS:Application Layer Protocol Application Layer Protocol BITS Jobs Browser Session Hijacking Visual Basic:Command and Scripting Interpreter Python:Command and Scripting Interpreter JavaScript:Command and Scripting Interpreter PowerShell:Command and Scripting Interpreter Windows Command Shell:Command and Scripting Interpreter Windows Service:Create or Modify System Process Standard Encoding:Data Encoding Data from Local System Protocol Impersonation:Data Obfuscation Data Transfer Size Limits Deobfuscate/Decode Files or Information Asymmetric Cryptography:Encrypted Channel Symmetric Cryptography:Encrypted Channel Exploitation for Client Execution Exploitation for Privilege Escalation File and Directory Discovery Process Argument Spoofing:Hide Artifacts Disable or Modify Tools:Impair Defenses Timestomp:Indicator Removal Ingress Tool Transfer Keylogging:Input Capture Modify Registry Native API Network Service Discovery Network Share Discovery Non-Application Layer Protocol Indicator Removal from Tools:Obfuscated Files or Information Obfuscated Files or Information Office Template Macros:Office Application Startup Security Account Manager:OS Credential Dumping LSASS Memory:OS Credential Dumping Local Groups:Permission Groups Discovery Domain Groups:Permission Groups Discovery Process Discovery Process Hollowing:Process Injection Process Injection Dynamic-link Library Injection:Process Injection Protocol Tunneling Domain Fronting:Proxy Internal Proxy:Proxy Query Registry Reflective Code Loading Windows Remote Management:Remote Services SMB/Windows Admin Shares:Remote Services SSH:Remote Services Remote Desktop Protocol:Remote Services Distributed Component Object Model:Remote Services Remote System Discovery Scheduled Transfer Screen Capture Software Discovery Code Signing:Subvert Trust Controls Rundll32:System Binary Proxy Execution System Network Configuration Discovery System Network Connections Discovery System Service Discovery Service Execution:System Services Pass the Hash:Use Alternate Authentication Material Domain Accounts:Valid Accounts Local Accounts:Valid Accounts Windows Management Instrumentation
S0385	njRAT	¹	Web Protocols:Application Layer Protocol Application Window Discovery Registry Run Keys / Startup Folder:Boot or Logon Autostart Execution Windows Command Shell:Command and Scripting Interpreter PowerShell:Command and Scripting Interpreter Credentials from Web Browsers:Credentials from Password Stores Standard Encoding:Data Encoding Data from Local System Fast Flux DNS:Dynamic Resolution Exfiltration Over C2 Channel File and Directory Discovery Disable or Modify System Firewall:Impair Defenses Clear Persistence:Indicator Removal File Deletion:Indicator Removal Ingress Tool Transfer Keylogging:Input Capture Modify Registry Native API Non-Standard Port Compile After Delivery:Obfuscated Files or Information Obfuscated Files or Information Peripheral Device Discovery Process Discovery Query Registry Remote Desktop Protocol:Remote Services Remote System Discovery Replication Through Removable Media Screen Capture System Information Discovery System Owner/User Discovery Video Capture

References

Wiley, B. et al. (2021, December 29). OverWatch Exposes AQUATIC PANDA in Possession of Log4Shell Exploit Tools During Hands-on Intrusion Attempt. Retrieved January 18, 2022. ↩↩↩↩↩↩↩↩↩↩↩↩↩↩↩↩↩↩