Global computer maker Dell via its SecureWorks Counter Threat Unit (CTU) has exposed the tactics of the little known Emissary Panda group a.k.a. Threat Group 3390, a China-based, industrial espionage hacking group.
Apparently Panda has two aims – to gather strategic information and to leave malicious tools in compromised computer systems to let it back in at will and wreak havoc.
Panda primarily uses strategic web compromises (SWC), better known as watering hole attacks, to infect its targets. It primarily uses spear phishing techniques (highly targeted email) to entice a target of interest to visit an infected website.
The CTU has discovered more than 100 infected global websites to snare its targets, including those in Iran, Iraq, Zambia, Italy, Afghanistan, Qatar, Ecuador, as well as those in other parts of Europe, South America, Middle East and Africa. The infection simply redirects the user to a fake website where drive-by code is downloaded without the visitor’s knowledge.
Following is a CTU report on its tools and tactics
- Exclusive Hacker Tools-- Panda has many tools in its toolbox. Some of them are exclusive, while others are shared among a small group of Chinese threat groups. Malware used by the threat group can be configured to bypass network-based detection, and the group’s obfuscation techniques in SWCs complicate detection of malicious web traffic redirects. Two of the tools used by the attackers –ASPXTool and the OwaAuth web shell – appear to be totally exclusive to the group. OwaAuth is a web shell and credential stealer deployed to Exchange Servers and is installed as an ISAPI filter. ASPXTool meanwhile is a modified version of the ASPXSpy web shell that is used on internally accessible servers running Internet Information Services (IIS).
- Targeting the Domain Controller--Once inside the targeted network, the attackers go for the domain controller, which gives them access to credentials for a variety of users. The attackers were observed moving laterally to other hosts in as little as two hours after penetrating the network. Data exfiltration has been observed happening almost four weeks after the initial compromise and continuing on for two weeks.
- Targeting MS Exchange Servers---In addition to going after the domain controller, the attackers also move to install a keylogger and backdoor on Microsoft Exchange servers. This requires technical knowledge of IIS. To compromise the Exchange Server, the attackers obtain credentials for a privileged account and map a network share to the server. The servers make for attractive targets because their criticality to business operations means they have high availability. In addition, the backdoor also guarantees the attackers have a way to steal credentials and get back in the network in the event they are booted out.
- Plug X, ChinaChopper, Hunter and Other Tools of the Trade--- Panda uses the PlugX remote access tool. PlugX is the new Poison Ivy. It is a full-featured backdoor used by many threat groups and is delivered countless ways to the host, persists using a variety of techniques, and is challenging to detect when relying on signatures from traditional security controls. In addition to PlugX, the group uses multiple tools leveraged by other threat groups. HttpBrowser (also known as TokenControl) for example allows them to spawn a reverse shell, upload or download files and capture keystrokes on a compromised machine. They also use a Web-based executable script known as the ‘ChinaChopper’ web shell, as well as a web application scanning tool known as ‘Hunter’ that can identify vulnerabilities in Tomcat, JBoss and ColdFusion, as well as identify open ports, collect web banners and download secondary files.
- Timeline from Initial Compromise to Siphoning Off Data---The Panda attackers were observed moving laterally to other hosts, in as little as two hours, after penetrating the network. Data exfiltration has been observed happening almost four weeks after the initial compromise and continuing on for two weeks.
How to fight Panda
The CTU advises organizations to follow these steps in order to help protect themselves and to identify activity within their network.
- Mandate the use of two-factor authentication for all remote access solutions
- Remove Local Administrator rights
- Audit ISAPI filters on Microsoft Exchange servers
- Keep third-party software up-to-date
I will never think of a cute and cuddly Panda in the same way again