Security Market Segment LS
Monday, 10 August 2015 08:43

Emissary Panda has teeth


There is nothing cuddly about this panda – it has infiltrated hundreds of organisations including defence, aerospace, automotive, energy, pharmaceutical, mining, education, legal and foreign embassies with some spectacular key data store heists.

Global computer maker Dell via its SecureWorks Counter Threat Unit (CTU) has exposed the tactics of the little known Emissary Panda group a.k.a. Threat Group 3390, a China-based, industrial espionage hacking group.

Apparently Panda has two aims – to gather strategic information and to leave malicious tools in compromised computer systems to let it back in at will and wreak havoc.

Panda primarily uses strategic web compromises (SWC), better known as watering hole attacks, to infect its targets. It primarily uses spear phishing techniques (highly targeted email) to entice a target of interest to visit an infected website.

The CTU has discovered more than 100 infected global websites to snare its targets, including those in Iran, Iraq, Zambia, Italy, Afghanistan, Qatar, Ecuador, as well as those in other parts of Europe, South America, Middle East and Africa. The infection simply redirects the user to a fake website where drive-by code is downloaded without the visitor’s knowledge.

Following is a CTU report on its tools and tactics

  • Exclusive Hacker Tools-- Panda has many tools in its toolbox.  Some of them are exclusive, while others are shared among a small group of Chinese threat groups. Malware used by the threat group can be configured to bypass network-based detection, and the group’s obfuscation techniques in SWCs complicate detection of malicious web traffic redirects. Two of the tools used by the attackers –ASPXTool and the OwaAuth web shell – appear to be totally exclusive to the group. OwaAuth is a web shell and credential stealer deployed to Exchange Servers and is installed as an ISAPI filter. ASPXTool meanwhile is a modified version of the ASPXSpy web shell that is used on internally accessible servers running Internet Information Services (IIS).
  • Targeting the Domain Controller--Once inside the targeted network, the attackers go for the domain controller, which gives them access to credentials for a variety of users. The attackers were observed moving laterally to other hosts in as little as two hours after penetrating the network. Data exfiltration has been observed happening almost four weeks after the initial compromise and continuing on for two weeks.
  • Targeting MS Exchange Servers---In addition to going after the domain controller, the attackers also move to install a keylogger and backdoor on Microsoft Exchange servers.  This requires technical knowledge of IIS. To compromise the Exchange Server, the attackers obtain credentials for a privileged account and map a network share to the server. The servers make for attractive targets because their criticality to business operations means they have high availability. In addition, the backdoor also guarantees the attackers have a way to steal credentials and get back in the network in the event they are booted out.
  • Plug X, ChinaChopper, Hunter and Other Tools of the Trade--- Panda uses the PlugX remote access tool.   PlugX is the new Poison Ivy. It is a full-featured backdoor used by many threat groups and is delivered countless ways to the host, persists using a variety of techniques, and is challenging to detect when relying on signatures from traditional security controls. In addition to PlugX, the group uses multiple tools leveraged by other threat groups. HttpBrowser (also known as TokenControl) for example allows them to spawn a reverse shell, upload or download files and capture keystrokes on a compromised machine. They also use a Web-based executable script known as the ‘ChinaChopper’ web shell,  as well as a web application scanning tool known as ‘Hunter’ that can identify vulnerabilities in Tomcat, JBoss and ColdFusion,  as well as identify open ports, collect web banners and download secondary files.
  • Timeline from Initial Compromise to Siphoning Off Data---The Panda attackers were observed moving laterally to other hosts, in as little as two hours, after penetrating the network. Data exfiltration has been observed happening almost four weeks after the initial compromise and continuing on for two weeks.

How to fight Panda

The CTU advises organizations to follow these steps in order to help protect themselves and to identify activity within their network.

  • Mandate the use of two-factor authentication for all remote access solutions
  • Remove Local Administrator rights
  • Audit ISAPI filters on Microsoft Exchange servers
  • Keep third-party software up-to-date

I will never think of a cute and cuddly Panda in the same way again

Subscribe to ITWIRE UPDATE Newsletter here


The much awaited iTWire Shop is now open to our readers.

Visit the iTWire Shop, a leading destination for stylish accessories, gear & gadgets, lifestyle products and everyday portable office essentials, drones, zoom lenses for smartphones, software and online training.

PLUS Big Brands include: Apple, Lenovo, LG, Samsung, Sennheiser and many more.

Products available for any country.

We hope you enjoy and find value in the much anticipated iTWire Shop.



iTWire TV offers a unique value to the Tech Sector by providing a range of video interviews, news, views and reviews, and also provides the opportunity for vendors to promote your company and your marketing messages.

We work with you to develop the message and conduct the interview or product review in a safe and collaborative way. Unlike other Tech YouTube channels, we create a story around your message and post that on the homepage of ITWire, linking to your message.

In addition, your interview post message can be displayed in up to 7 different post displays on our the site to drive traffic and readers to your video content and downloads. This can be a significant Lead Generation opportunity for your business.

We also provide 3 videos in one recording/sitting if you require so that you have a series of videos to promote to your customers. Your sales team can add your emails to sales collateral and to the footer of their sales and marketing emails.

See the latest in Tech News, Views, Interviews, Reviews, Product Promos and Events. Plus funny videos from our readers and customers.


Ray Shaw

joomla stats

Ray Shaw  has a passion for IT ever since building his first computer in 1980. He is a qualified journalist, hosted a consumer IT based radio program on ABC radio for 10 years, has developed world leading software for the events industry and is smart enough to no longer own a retail computer store!

Share News tips for the iTWire Journalists? Your tip will be anonymous




Guest Opinion

Guest Reviews

Guest Research

Guest Research & Case Studies

Channel News