Threat Intelligence, Incident Response, Malware, TDR

Advanced attack group Deep Panda uses PowerShell to breach think tanks

An advanced nation-state attack group in China is spying on new victims, and making use of Windows PowerShell to infiltrate think tanks and leave little evidence of their exploits.

On Tuesday, advanced threat detection firm CrowdStrike revealed new details on “Deep Panda,” a group that has quickly switched from collecting policy information about Southeast Asia to gathering data regarding political affairs in Iraq.

In a blog post, Dmitri Alperovitch, co-founder and CTO of CrowdStrike, wrote that Deep Panda's attacks on nonprofits coincided with the “potential disruption of major Chinese oil interests in [Iraq]," brought on by the recent takeover of Iraqi cities by the Islamic State of Iraq and the Levant (ISIS).

“Iraq happens to be the fifth-largest source of crude oil imports for China and the country is the largest foreign investor in Iraq's oil sector,” Alperovitch wrote. “Thus, it wouldn't be surprising if the Chinese government is highly interested in getting a better sense of the possibility of deeper U.S. military involvement that could help protect the Chinese oil infrastructure in Iraq.”

Of note, CrowdStrike detected cyber attacks against national security think tanks starting on June 18, the same day Iraq's largest oil refinery in Baiji was taken over by ISIS, Alperovitch said.

For nearly three years, CrowdStrike has continued to monitor the group, but in recent attacks Deep Panda adversaries used Windows PowerShell scripts to remain under the radar while compromising think tanks. The scripts were deployed to appear as scheduled tasks on end-users Windows machines, but once executed, downloaded from memory a remote access trojan (RAT) called “MadHatter,” CrowdStrike revealed.

“By running them from memory, it leaves no disk artifacts [to trigger AV] or host-based IOCs [indicators of compromise] that can be identified in forensic analysis,” Alperovitch wrote.

In a Tuesday follow up interview with, Alperovitch added that attackers cleverly targeted those using PowerShell, “a small script that gives [attackers] an incredible level of power on a system.”

“Unless you were monitoring every scheduled task, you would not notice this activity,” he said. “This attack group is really good at blending in and using existing tools, like Windows PowerShell, that would not be noticed by administrators. Only once you start pulling together the chain of events of what they are doing, and all the commands that are being launched, does the full spectrum of what the attacker is trying to achieve [emerge].”

Less skilled or funded attackers have made use of PowerShell to spread malware to unsuspecting victims. Last month, a new variant of ransomware called “Poshcoder,” was delivered using the Microsoft task automation and configuration management framework.

Miscreants used PowerShell to encrypt U.S. users' files, so that scammers could later demand Bitcoin payment to decrypt the data.

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.