Cервис управления информационной безопасностью
Cервис управления информационной безопасностью
Вход Регистрация
MITRE ATT&CK - Преступная группа Deep Panda
Каталоги
MITRE ATT&CK
БДУ ФСТЭК
Новая БДУ ФСТЭК
Риски
Каталоги
MITRE ATT&CK
Преступная группа
Deep Panda
Куда я попал?
SECURITM это SGRC система, ? автоматизирующая процессы в службах информационной безопасности. SECURITM помогает построить и управлять ИСПДн, КИИ, ГИС, СМИБ/СУИБ, банковскими системами защиты.
А еще SECURITM это место для обмена опытом и наработками для служб безопасности.
Подробнее
Наш канал

Deep Panda

Deep Panda is a suspected Chinese threat group known to target many industries, including government, defense, financial, and telecommunications. (Citation: Alperovitch 2014) The intrusion into healthcare company Anthem has been attributed to Deep Panda. (Citation: ThreatConnect Anthem) This group is also known as Shell Crew, WebMasters, KungFu Kittens, and PinkPanther. (Citation: RSA Shell Crew) Deep Panda also appears to be known as Black Vine based on the attribution of both group names to the Anthem intrusion. (Citation: Symantec Black Vine) Some analysts track Deep Panda and APT19 as the same group, but it is unclear from open source information if the groups are the same. (Citation: ICIT China's Espionage Jul 2016)
ID: G0009
Associated Groups: Shell Crew, WebMasters, KungFu Kittens, PinkPanther, Black Vine
Version: 1.2
Created: 31 May 2017
Last Modified: 20 Jul 2022

Associated Group Descriptions
Name Description
Shell Crew (Citation: RSA Shell Crew)
WebMasters (Citation: RSA Shell Crew)
KungFu Kittens (Citation: RSA Shell Crew)
PinkPanther (Citation: RSA Shell Crew)
Black Vine (Citation: Symantec Black Vine)

Techniques Used
Domain ID Name Use
Enterprise T1059 .001 Command and Scripting Interpreter: PowerShell

Deep Panda has used PowerShell scripts to download and execute programs in memory, without writing to disk.(Citation: Alperovitch 2014)
Enterprise T1546 .008 Event Triggered Execution: Accessibility Features

Deep Panda has used the sticky-keys technique to bypass the RDP login screen on remote systems during intrusions.(Citation: RSA Shell Crew)
Enterprise T1564 .003 Hide Artifacts: Hidden Window

Deep Panda has used -w hidden to conceal PowerShell windows by setting the WindowStyle parameter to hidden. (Citation: Alperovitch 2014)
Enterprise T1027 .005 Obfuscated Files or Information: Indicator Removal from Tools

Deep Panda has updated and modified its malware, resulting in different hash values that evade detection.(Citation: Symantec Black Vine)
Enterprise T1021 .002 Remote Services: SMB/Windows Admin Shares

Deep Panda uses net.exe to connect to network shares using net use commands with compromised credentials.(Citation: Alperovitch 2014)
Enterprise T1505 .003 Server Software Component: Web Shell

Deep Panda uses Web shells on publicly accessible Web servers to access victim networks.(Citation: CrowdStrike Deep Panda Web Shells)
Enterprise T1218 .010 System Binary Proxy Execution: Regsvr32

Deep Panda has used regsvr32.exe to execute a server variant of Derusbi in victim networks.(Citation: RSA Shell Crew)

Software
ID Name References Techniques
S0039 Net (Citation: Alperovitch 2014) (Citation: Microsoft Net Utility) (Citation: Savill 1999) Password Policy Discovery, Domain Groups, System Time Discovery, Domain Account, Local Account, System Service Discovery, Remote System Discovery, Network Share Discovery, System Network Connections Discovery, Network Share Connection Removal, Service Execution, Local Account, Local Groups, SMB/Windows Admin Shares, Domain Account
S0057 Tasklist (Citation: Alperovitch 2014) (Citation: Microsoft Tasklist) Process Discovery, System Service Discovery, Security Software Discovery
S0142 StreamEx (Citation: Cylance Shell Crew Feb 2017) Process Discovery, Rundll32, Windows Service, Modify Registry, System Information Discovery, File and Directory Discovery, Security Software Discovery, Obfuscated Files or Information, Windows Command Shell
S0021 Derusbi (Citation: Fidelis Turbo) (Citation: FireEye Periscope March 2018) (Citation: Novetta-Axiom) (Citation: PHOTO) (Citation: ThreatConnect Anthem) Keylogging, Unix Shell, Regsvr32, System Information Discovery, Timestomp, Dynamic-link Library Injection, Custom Command and Control Protocol, File Deletion, Non-Standard Port, Symmetric Cryptography, System Owner/User Discovery, Audio Capture, File and Directory Discovery, Commonly Used Port, Fallback Channels, Non-Application Layer Protocol, Screen Capture, Video Capture, Process Discovery, Query Registry
S0074 Sakula (Citation: Dell Sakula) (Citation: ThreatConnect Anthem) Obfuscated Files or Information, Ingress Tool Transfer, Registry Run Keys / Startup Folder, Web Protocols, Bypass User Account Control, Symmetric Cryptography, DLL Side-Loading, Windows Command Shell, Rundll32, Windows Service, File Deletion
S0097 Ping (Citation: Alperovitch 2014) (Citation: TechNet Ping) Remote System Discovery
S0080 Mivast (Citation: Symantec Backdoor.Mivast) (Citation: Symantec Black Vine) Registry Run Keys / Startup Folder, Commonly Used Port, Security Account Manager, Ingress Tool Transfer, Windows Command Shell

References

  1. DiMaggio, J.. (2015, August 6). The Black Vine cyberespionage group. Retrieved January 26, 2016.
  2. Alperovitch, D. (2014, July 7). Deep in Thought: Chinese Targeting of National Security Think Tanks. Retrieved November 12, 2014.
  3. RYANJ. (2014, February 20). Mo’ Shells Mo’ Problems – Deep Panda Web Shells. Retrieved September 16, 2015.
  4. ThreatConnect Research Team. (2015, February 27). The Anthem Hack: All Roads Lead to China. Retrieved January 26, 2016.
  5. RSA Incident Response. (2014, January). RSA Incident Response Emerging Threat Profile: Shell Crew. Retrieved January 14, 2016.
  6. Cylance SPEAR Team. (2017, February 9). Shell Crew Variants Continue to Fly Under Big AV’s Radar. Retrieved February 15, 2017.
  7. Scott, J. and Spaniel, D. (2016, July 28). ICIT Brief - China’s Espionage Dynasty: Economic Death by a Thousand Cuts. Retrieved June 7, 2018.
Навигация

Мы используем cookie-файлы, чтобы получить статистику, которая помогает нам улучшить сервис для вас с целью персонализации сервисов и предложений. Вы может прочитать подробнее о cookie-файлах или изменить настройки браузера. Продолжая пользоваться сайтом, вы даёте согласие на использование ваших cookie-файлов и соглашаетесь с Политикой обработки персональных данных.