Goblin Panda, Cycldek, Conimes

Description

(CrowdStrike) CrowdStrike first observed Goblin Panda activity in September 2013 when indicators of its activity were discovered on the network of a technology company operating in multiple sectors.

Malware variants primarily used by this actor include PlugX and HttpTunnel. This actor focuses a significant amount of its targeting activity on entities in Southeast Asia, particularly Vietnam. Heavy activity was observed in the late spring and early summer of 2014 when tensions between China and other Southeast Asian nations were high, due to conflict over territory in the South China Sea. Goblin Panda targets have been primarily observed in the defense, energy, and government sectors.

Names

Name	Name-Giver
Goblin Panda	CrowdStrike
Cycldek	Kaspersky
Conimes	Anomali
1937CN	?

Country

• China

Motivation

• Information theft and espionage

First Seen

2013

Observed Sectors

• Defense
• Energy
• Government

Observed Countries

• Cambodia
• India
• Indonesia
• Laos
• Malaysia
• Myanmar
• Philippines
• Thailand
• USA
• Vietnam

Tools

• 8.t Dropper
• BlueCore
• BrowsingHistoryView
• ChromePass
• CoreLoader
• DropPhone
• FoundCore
• HDoor
• HTTPTunnel
• JsonCookies
• nbtscan
• NewCore RAT
• PlugX
• ProcDump
• PsExec
• QCRat
• RedCore
• Sisfader
• USBCulprit
• ZeGhost
• Living off the Land

Operations

• 2016-07: A group identifying as Chinese hackers has attacked digital signage screens, overhead announcement systems and airline systems at airports across Vietnam. https://www.infosecurity-magazine.com/news/chinese-hackers-attack-airports/
• 2017-09: Recently, FortiGuard Labs came across several malicious documents that exploit the vulnerability CVE-2012-0158. https://www.fortinet.com/blog/threat-research/rehashed-rat-used-in-apt-campaign-against-vietnamese-organizations
• 2018: Attacks have been witnessed in government organizations across several Southeast Asian countries, namely Vietnam, Thailand and Laos, using a variety of tools and new TTPs. https://securelist.com/cycldek-bridging-the-air-gap/97157/
• 2020-06: The leap of a Cycldek-related threat actor https://securelist.com/the-leap-of-a-cycldek-related-threat-actor/101243/

Information

• https://www.crowdstrike.com/blog/meet-crowdstrikes-adversary-of-the-month-for-august-goblin-panda/

Playbook

• https://www.fortinet.com/blog/threat-research/cta-security-playbook—goblin-panda.html

Other Information

Uuid

54b1fa22-3aa4-4cdd-9c24-e6f1ce0e907d

Last Card Change

2021-05-15