Security Market Segment LS
Monday, 10 August 2015 08:43

Emissary Panda has teeth


There is nothing cuddly about this panda – it has infiltrated hundreds of organisations including defence, aerospace, automotive, energy, pharmaceutical, mining, education, legal and foreign embassies with some spectacular key data store heists.

Global computer maker Dell via its SecureWorks Counter Threat Unit (CTU) has exposed the tactics of the little known Emissary Panda group a.k.a. Threat Group 3390, a China-based, industrial espionage hacking group.

Apparently Panda has two aims – to gather strategic information and to leave malicious tools in compromised computer systems to let it back in at will and wreak havoc.

Panda primarily uses strategic web compromises (SWC), better known as watering hole attacks, to infect its targets. It primarily uses spear phishing techniques (highly targeted email) to entice a target of interest to visit an infected website.

The CTU has discovered more than 100 infected global websites to snare its targets, including those in Iran, Iraq, Zambia, Italy, Afghanistan, Qatar, Ecuador, as well as those in other parts of Europe, South America, Middle East and Africa. The infection simply redirects the user to a fake website where drive-by code is downloaded without the visitor’s knowledge.

Following is a CTU report on its tools and tactics

  • Exclusive Hacker Tools-- Panda has many tools in its toolbox.  Some of them are exclusive, while others are shared among a small group of Chinese threat groups. Malware used by the threat group can be configured to bypass network-based detection, and the group’s obfuscation techniques in SWCs complicate detection of malicious web traffic redirects. Two of the tools used by the attackers –ASPXTool and the OwaAuth web shell – appear to be totally exclusive to the group. OwaAuth is a web shell and credential stealer deployed to Exchange Servers and is installed as an ISAPI filter. ASPXTool meanwhile is a modified version of the ASPXSpy web shell that is used on internally accessible servers running Internet Information Services (IIS).
  • Targeting the Domain Controller--Once inside the targeted network, the attackers go for the domain controller, which gives them access to credentials for a variety of users. The attackers were observed moving laterally to other hosts in as little as two hours after penetrating the network. Data exfiltration has been observed happening almost four weeks after the initial compromise and continuing on for two weeks.
  • Targeting MS Exchange Servers---In addition to going after the domain controller, the attackers also move to install a keylogger and backdoor on Microsoft Exchange servers.  This requires technical knowledge of IIS. To compromise the Exchange Server, the attackers obtain credentials for a privileged account and map a network share to the server. The servers make for attractive targets because their criticality to business operations means they have high availability. In addition, the backdoor also guarantees the attackers have a way to steal credentials and get back in the network in the event they are booted out.
  • Plug X, ChinaChopper, Hunter and Other Tools of the Trade--- Panda uses the PlugX remote access tool.   PlugX is the new Poison Ivy. It is a full-featured backdoor used by many threat groups and is delivered countless ways to the host, persists using a variety of techniques, and is challenging to detect when relying on signatures from traditional security controls. In addition to PlugX, the group uses multiple tools leveraged by other threat groups. HttpBrowser (also known as TokenControl) for example allows them to spawn a reverse shell, upload or download files and capture keystrokes on a compromised machine. They also use a Web-based executable script known as the ‘ChinaChopper’ web shell,  as well as a web application scanning tool known as ‘Hunter’ that can identify vulnerabilities in Tomcat, JBoss and ColdFusion,  as well as identify open ports, collect web banners and download secondary files.
  • Timeline from Initial Compromise to Siphoning Off Data---The Panda attackers were observed moving laterally to other hosts, in as little as two hours, after penetrating the network. Data exfiltration has been observed happening almost four weeks after the initial compromise and continuing on for two weeks.

How to fight Panda

The CTU advises organizations to follow these steps in order to help protect themselves and to identify activity within their network.

  • Mandate the use of two-factor authentication for all remote access solutions
  • Remove Local Administrator rights
  • Audit ISAPI filters on Microsoft Exchange servers
  • Keep third-party software up-to-date

I will never think of a cute and cuddly Panda in the same way again

Please join our community here and become a VIP.

Subscribe to ITWIRE UPDATE Newsletter here
JOIN our iTWireTV our YouTube Community here


It's all about Webinars.

Marketing budgets are now focused on Webinars combined with Lead Generation.

If you wish to promote a Webinar we recommend at least a 3 to 4 week campaign prior to your event.

The iTWire campaign will include extensive adverts on our News Site and prominent Newsletter promotion and Promotional News & Editorial. Plus a video interview of the key speaker on iTWire TV which will be used in Promotional Posts on the iTWire Home Page.

Now we are coming out of Lockdown iTWire will be focussed to assisting with your webinatrs and campaigns and assassistance via part payments and extended terms, a Webinar Business Booster Pack and other supportive programs. We can also create your adverts and written content plus coordinate your video interview.

We look forward to discussing your campaign goals with you. Please click the button below.



iTWire TV offers a unique value to the Tech Sector by providing a range of video interviews, news, views and reviews, and also provides the opportunity for vendors to promote your company and your marketing messages.

We work with you to develop the message and conduct the interview or product review in a safe and collaborative way. Unlike other Tech YouTube channels, we create a story around your message and post that on the homepage of ITWire, linking to your message.

In addition, your interview post message can be displayed in up to 7 different post displays on our the site to drive traffic and readers to your video content and downloads. This can be a significant Lead Generation opportunity for your business.

We also provide 3 videos in one recording/sitting if you require so that you have a series of videos to promote to your customers. Your sales team can add your emails to sales collateral and to the footer of their sales and marketing emails.

See the latest in Tech News, Views, Interviews, Reviews, Product Promos and Events. Plus funny videos from our readers and customers.


Ray Shaw

joomla stats

Ray Shaw  has a passion for IT ever since building his first computer in 1980. He is a qualified journalist, hosted a consumer IT based radio program on ABC radio for 10 years, has developed world leading software for the events industry and is smart enough to no longer own a retail computer store!

Share News tips for the iTWire Journalists? Your tip will be anonymous