Deep Panda has Changed its Preferred Targets - CrowdStrike
Softpedia.com reported during first week of July 2014 stating that security researchers of CrowdStrike have observed a change in preferred targets of cyber-espionage group of Deep Panda which the company puts among the invasion group sponsored by most advanced state.
Experts at CrowdStrike observed that Deep Panda recently attacked more individuals in Middle East/Iraq through a technology which is available to certain organizations free of cost.
CrowdStrike connects normal activity of the group with the government of China which has been focusing on individuals and organizations which were involved in issues related to geo-political party of China/Asia pacific region.
However, CrowdStrike confirms that group of Deep Panda did not just change the targets but also started using PowerShell scripts deployed according to planned tasks on Windows machines to break networks.
The PowerShell interpreter received the scripts through the line of command to evade placing of unnecessary files on the infected machine which could potentially activate security measures like antivirus. The scripts were scheduled to call back in interval of two hours to the command of Deep Panda and monitor infrastructure.
Securityweek.com published a report during first week of July, 2014 quoting Dmitri Alperovitch, Cofounder of CrowdStrike, as saying "When executed, it downloads from memory a .NET executable (normally known as Wafer) which generally downloads and runs one of the favorites of Deep Panda MadHatter.NET Remote Access Tool (RAT). It leaves no host-based IOCs or disk artifacts by running them on memory which can be spotted by forensic analysis. Usually, Deep Panda operates very secretly which leaves least marks on a system of the victim and may not be identified for quite long time."
Last year, website of the U.S. Department of labor Site Exposure Matrices (SEM) was targeted with a watering hole-attack involving Deep Panda. AlienVault's researchers linked Deep Panda with the infrastructure of command and control used in that compromise. The DOL compromise redirected victims to a site which is hosting the Poison Ivy remote accessing Trojan. The website of SEM is storage for data on poisonous articles available at Department of Energy facilities which means that the targets may be employees of DoE.
» SPAMfighter News - 05-08-2014