The group targets victims based on previous research
CrowdStrike security researchers have noticed a shift in the preferred targets of the Deep Panda cyber-espionage group, that the company places among the most advanced state-sponsored intrusion groups.Through technology that is made available to certain organizations at no cost, CrowdStrike experts observed that Deep Panda’s recent efforts were directed more and more towards individuals with a tie to Iraq/Middle East matters.
The general activity of the group, which CrowdStrike connects to the government of China, has usually been focused on organizations and individuals that were involved in geo-political policy issues in the China/Asia Pacific area.
However, the latest information from Falcon Host, the technology that helps detect threats in these organizations, highlights the new interest of the cyber-espionage group.
Falcon Host is a small kernel sensor that sits “on Windows and Mac servers, desktops, and laptops and is able to do real-time detection and recording of all adversary activities taking place on the system.”
Its capabilities extend beyond this, as it can also attribute the intrusion to a specific group by matching the nefarious activities with the details collected over the years by CrowdStrike for each threat actor.
The company says that the latest breaches occurred through the use of powershell scripts that were executed on Windows as scheduled tasks.
To avoid detection, the scripts reach the interpreter via command-line. This way, no suspicious files are stored on the victim’s computer, thus reducing the chance of the attack being discovered by an antivirus solution or through an indicator of compromise (IOC).
According to CrowdStrike Co-Founder and CTO, Dmitri Alperovitch, the scripts would contact the command and control infrastructure of the Deep Panda group every two hours.
The stealthy tactics of the group are well known, and they’ve been employed for this operation, too. The script downloads and deploys from memory a .NET executable that retrieves and runs the MadHatter .NET Remote Access Tool (RAT), also known to be used by Deep Panda.
Since everything is carried out from memory, the local storage records no trace of the malicious files, should a forensics analysis be performed. This also contributes to the persistence of the malware on the targeted machine.
CrowdStrike says that the threat actor knows exactly which victims they want to target, as they act based on previous researches, which allowed the move from the China/Asia Pacific policy experts to the Iraq/Middle East policy experts.
Furthermore, Alperovitch speculates that despite the similar tools, tactics and procedures (TTPs), the operations against the targets had different operators at the keyboard, based “on the intricacies of how certain powershell command lines had been used in each case.”