1. Home
  2. Groups
  3. Aquatic Panda

Aquatic Panda

Aquatic Panda is a suspected China-based threat group with a dual mission of intelligence collection and industrial espionage. Active since at least May 2020, Aquatic Panda has primarily targeted entities in the telecommunications, technology, and government sectors.[1]

ID: G0143
Contributors: NST Assure Research Team, NetSentries Technologies; Pooja Natarajan, NEC Corporation India; Hiroki Nagahama, NEC Corporation; Manikantan Srinivasan, NEC Corporation India; Jai Minton, CrowdStrike; Jennifer Kim Roman, CrowdStrike
Version: 2.0
Created: 18 January 2022
Last Modified: 10 October 2024
Enterprise Layer
download view

Techniques Used

Domain ID Name Use
Enterprise T1047 Windows管理规范

Aquatic Panda used WMI for lateral movement in victim environments.[2]
Enterprise T1595 .002 主动扫描: Vulnerability Scanning

Aquatic Panda has used publicly accessible DNS logging services to identify servers vulnerable to Log4j (CVE 2021-44228).[1]
Enterprise T1005 从本地系统获取数据

Aquatic Panda captured local Windows security event log data from victim machines using the wevtutil utility to extract contents to an evtx output file.[2]
Enterprise T1036 .004 伪装: Masquerade Task or Service

Aquatic Panda created new, malicious services using names such as Windows User Service to attempt to blend in with legitimate items on victim systems.[2]
.005 伪装: Match Legitimate Name or Location

Aquatic Panda renamed or moved malicious binaries to legitimate locations to evade defenses and blend into victim environments.[2]
Enterprise T1550 .002 使用备用认证材料: Pass the Hash

Aquatic Panda used a registry edit to enable a Windows feature called RestrictedAdmin in victim environments. This change allowed Aquatic Panda to leverage "pass the hash" mechanisms as the alteration allows for RDP connections with a valid account name and hash only, without possessing a cleartext password value.[2]
Enterprise T1112 修改注册表

Aquatic Panda modified the victim registry to enable the RestrictedAdmin mode feature, allowing for pass the hash behaviors to function via RDP.[2]
Enterprise T1543 .003 创建或修改系统进程: Windows Service

Aquatic Panda created new Windows services for persistence that masqueraded as legitimate Windows services via name change.[2]
Enterprise T1574 .001 劫持执行流: DLL Search Order Hijacking

Aquatic Panda has used DLL search-order hijacking to load exe, dll, and dat files into memory.[1] Aquatic Panda loaded a malicious DLL into the legitimate Windows Security Health Service executable (SecurityHealthService.exe) to execute malicious code on victim systems.[2]
.006 劫持执行流: Dynamic Linker Hijacking

Aquatic Panda modified the ld.so preload file in Linux environments to enable persistence for Winnti malware.[2]
Enterprise T1059 .001 命令与脚本解释器: PowerShell

Aquatic Panda has downloaded additional scripts and executed Base64 encoded commands in PowerShell.[1]
.003 命令与脚本解释器: Windows Command Shell

Aquatic Panda has attempted and failed to run Bash commands on a Windows host by passing them to cmd /C.[1]
.004 命令与脚本解释器: Unix Shell

Aquatic Panda used malicious shell scripts in Linux environments following access via SSH to install Linux versions of Winnti malware.[2]
Enterprise T1562 .001 妨碍防御: Disable or Modify Tools

Aquatic Panda has attempted to stop endpoint detection and response (EDR) tools on compromised systems.[1]
Enterprise T1560 .001 归档收集数据: Archive via Utility

Aquatic Panda has used several publicly available tools, including WinRAR and 7zip, to compress collected files and memory dumps prior to exfiltration.[1][2]
Enterprise T1003 .001 操作系统凭证转储: LSASS Memory

Aquatic Panda has attempted to harvest credentials through LSASS memory dumping.[1]
Enterprise T1654 日志枚举

Aquatic Panda enumerated logs related to authentication in Linux environments prior to deleting selective entries for defense evasion purposes.[2]
Enterprise T1078 .002 有效账户: Domain Accounts

Aquatic Panda used multiple mechanisms to capture valid user accounts for victim domains to enable lateral movement and access to additional hosts in victim environments.[2]
Enterprise T1027 .010 混淆文件或信息: Command Obfuscation

Aquatic Panda has encoded PowerShell commands in Base64.[1]
Enterprise T1070 .001 移除指标: Clear Windows Event Logs

Aquatic Panda clears Windows Event Logs following activity to evade defenses.[2]
.003 移除指标: Clear Command History

Aquatic Panda cleared command history in Linux environments to remove traces of activity after operations.[2]
.004 移除指标: File Deletion

Aquatic Panda has deleted malicious executables from compromised machines.[1][2]
Enterprise T1218 .011 系统二进制代理执行: Rundll32

Aquatic Panda used rundll32.exe to proxy execution of a malicious DLL file identified as a keylogging binary.[2]
Enterprise T1082 系统信息发现

Aquatic Panda has used native OS commands to understand privilege levels and system details.[1]
Enterprise T1033 系统所有者/用户发现

Aquatic Panda gathers information on recently logged-in users on victim devices.[2]
Enterprise T1007 系统服务发现

Aquatic Panda has attempted to discover services for third party EDR products.[1]
Enterprise T1588 .001 获取能力: Malware

Aquatic Panda has acquired and used njRAT in its operations.[1]
.002 获取能力: Tool

Aquatic Panda has acquired and used Cobalt Strike in its operations.[1]
Enterprise T1087 账号发现

Aquatic Panda used the last command in Linux environments to identify recently logged-in users on victim machines.[2]
Enterprise T1518 .001 软件发现: Security Software Discovery

Aquatic Panda has attempted to discover third party endpoint detection and response (EDR) tools on compromised systems.[1]
Enterprise T1105 输入工具传输

Aquatic Panda has downloaded additional malware onto compromised hosts.[1]
Enterprise T1021 远程服务

Aquatic Panda used remote scheduled tasks to install malicious software on victim systems during lateral movement actions.[2]
.001 Remote Desktop Protocol

Aquatic Panda leveraged stolen credentials to move laterally via RDP in victim environments.[2]
.002 SMB/Windows Admin Shares

Aquatic Panda used remote shares to enable lateral movement in victim environments.[2]
.004 SSH

Aquatic Panda used SSH with captured user credentials to move laterally in victim environments.[2]

Software

ID Name References Techniques
S0154 Cobalt Strike [1] BITS任务, Windows管理规范, 从本地系统获取数据, 代理: Domain Fronting, 代理: Internal Proxy, 使用备用认证材料: Pass the Hash, 修改注册表, 创建或修改系统进程: Windows Service, 办公应用启动: Office Template Macros, 加密通道: Asymmetric Cryptography, 加密通道: Symmetric Cryptography, 协议隧道, 反射性代码加载, 反混淆/解码文件或信息, 命令与脚本解释器: JavaScript, 命令与脚本解释器: Visual Basic, 命令与脚本解释器: PowerShell, 命令与脚本解释器: Python, 命令与脚本解释器: Windows Command Shell, 妨碍防御: Disable or Modify Tools, 客户端执行漏洞利用, 屏幕捕获, 应用层协议: DNS, 应用层协议: Web Protocols, 应用层协议: File Transfer Protocols, 操作系统凭证转储: LSASS Memory, 操作系统凭证转储: Security Account Manager, 数据传输大小限制, 数据混淆: Protocol or Service Impersonation, 数据编码: Standard Encoding, 文件和目录发现, 有效账户: Domain Accounts, 有效账户: Local Accounts, 本机API, 权限提升漏洞利用, 权限组发现: Domain Groups, 权限组发现: Local Groups, 查询注册表, 浏览器会话劫持, 混淆文件或信息: Indicator Removal from Tools, 混淆文件或信息, 滥用权限提升控制机制: Sudo and Sudo Caching, 滥用权限提升控制机制: Bypass User Account Control, 移除指标: Timestomp, 系统二进制代理执行: Rundll32, 系统服务: Service Execution, 系统服务发现, 系统网络连接发现, 系统网络配置发现, 网络共享发现, 网络服务发现, 访问令牌操控: Parent PID Spoofing, 访问令牌操控: Token Impersonation/Theft, 访问令牌操控: Make and Impersonate Token, 账号发现: Domain Account, 软件发现, 输入工具传输, 输入捕获: Keylogging, 进程发现, 进程注入: Dynamic-link Library Injection, 进程注入: Process Hollowing, 进程注入, 远程服务: Remote Desktop Protocol, 远程服务: SSH, 远程服务: Windows Remote Management, 远程服务: SMB/Windows Admin Shares, 远程服务: Distributed Component Object Model, 远程系统发现, 隐藏伪装: Process Argument Spoofing, 非应用层协议, 预定传输, 颠覆信任控制: Code Signing
S0385 njRAT [1] 从密码存储中获取凭证: Credentials from Web Browsers, 从本地系统获取数据, 修改注册表, 动态解析: Fast Flux DNS, 启动或登录自动启动执行: Registry Run Keys / Startup Folder, 命令与脚本解释器: PowerShell, 命令与脚本解释器: Windows Command Shell, 外围设备发现, 妨碍防御: Disable or Modify System Firewall, 屏幕捕获, 应用层协议: Web Protocols, 应用窗口发现, 数据编码: Standard Encoding, 文件和目录发现, 本机API, 查询注册表, 混淆文件或信息: Encrypted/Encoded File, 混淆文件或信息: Compile After Delivery, 移除指标: File Deletion, 移除指标: Clear Persistence, 系统信息发现, 系统所有者/用户发现, 视频捕获, 输入工具传输, 输入捕获: Keylogging, 进程发现, 远程服务: Remote Desktop Protocol, 远程系统发现, 通过C2信道渗出, 通过可移动媒体复制, 非标准端口
S0596 ShadowPad Aquatic Panda used ShadowPad as a remote access tool to victim environments.[2] 修改注册表, 动态解析: Domain Generation Algorithms, 反混淆/解码文件或信息, 应用层协议: DNS, 应用层协议: File Transfer Protocols, 应用层协议: Web Protocols, 数据编码: Non-Standard Encoding, 混淆文件或信息: Fileless Storage, 混淆文件或信息, 移除指标, 系统信息发现, 系统所有者/用户发现, 系统时间发现, 系统网络配置发现, 输入工具传输, 进程发现, 进程注入, 进程注入: Dynamic-link Library Injection, 非应用层协议, 预定传输
S0645 Wevtutil Aquatic Panda uses Wevtutil to extract Windows security event log data from victim machines.[2] 从本地系统获取数据, 妨碍防御: Disable Windows Event Logging, 移除指标: Clear Windows Event Logs
S0430 Winnti for Linux Aquatic Panda used Winnti for Linux for access to victim Linux hosts during intrusions[2]. Rootkit, 加密通道: Symmetric Cryptography, 反混淆/解码文件或信息, 应用层协议: Web Protocols, 流量激活, 混淆文件或信息: Encrypted/Encoded File, 输入工具传输, 非应用层协议
S0141 Winnti for Windows Aquatic Panda used Winnti for Windows for persistent access to Windows victims.[2] 代理: External Proxy, 代理: Internal Proxy, 伪装: Match Legitimate Name or Location, 创建或修改系统进程: Windows Service, 加密通道: Symmetric Cryptography, 反混淆/解码文件或信息, 启动或登录自动启动执行: Registry Run Keys / Startup Folder, 应用层协议: Web Protocols, 执行保护: Environmental Keying, 文件和目录发现, 本机API, 混淆文件或信息: Encrypted/Encoded File, 滥用权限提升控制机制: Bypass User Account Control, 移除指标: File Deletion, 移除指标: Timestomp, 系统二进制代理执行: Rundll32, 系统信息发现, 系统服务: Service Execution, 输入工具传输, 进程发现, 非应用层协议

References

  1. Wiley, B. et al. (2021, December 29). OverWatch Exposes AQUATIC PANDA in Possession of Log4Shell Exploit Tools During Hands-on Intrusion Attempt. Retrieved January 18, 2022.
  1. CrowdStrike. (2023). 2022 Falcon OverWatch Threat Hunting Report. Retrieved May 20, 2024.