APTs Tracked in October: Wicked Panda

“Life in the SOC” is a Blog Series that shares experiences of the BlueVoyant SOC defending against the current and prevalent attacks encountered by our clients. The blogs discuss successful detection, response and mitigation actions that can improve your defensive capabilities.

Wicked Panda (also known as Winnti Group, Axiom, BARIUM, and Shadowpad) was extremely active in the Month of October with two new pieces of malware making their debuts: Portreuse and Skip 2.0. It is uncommon to see two new pieces of malware debut in the same month from the same threat actor. However, Wicked Panda is only a part of a much larger umbrella organization. For instance, Crowdstrike mentioned in a July 26th blog post that "WICKED PANDA refers to the targeted intrusion operations of the actor publicly known as “Winnti,” whereas WICKED SPIDER represents this group’s financially-motivated criminal activity. The flexibility of the cryptonym system used by CrowdStrike to track adversaries is highlighted by the case of WICKED PANDA/SPIDER. In this instance, one set of activities associated with criminal motivations can be easily separated from a second set of behaviors by the same actor when operating in the interest of a nation-state." As for the new tools, Portreuse is a backdoor that is injected into a running process so that it can reuse this already open port to wait for commands from a C2 server. This is also known as a passive network implant and early indications are that the group is targeting mobile hardware and software manufacturers. Skip 2.0 is also a backdoor. It targets Microsoft SQL (MSSQL) servers through the use of a "magic password" that allows the threat actors to connect to any account of the server and hide.