Samurai Panda
Description
(CrowdStrike) Samurai Panda is interesting in that their target selection tends to focus on Asia Pacific victims in Japan, the Republic of Korea, and other democratic Asian victims. Beginning in 2009, we’ve observed this actor conduct more than 40 unique campaigns that we’ve identified in the malware configurations’ campaign codes. These codes are often leveraged in the malware used by coordinated targeted attackers to differentiate victims that were successfully compromised from different target sets.
The implant delivered by Samurai Panda uses a typical installation process whereby they:
- Leverage a spear-phish with an exploit to get control of the execution flow of the targeted application. This file “drops” an XOR-encoded payload that unpacks itself and a configuration file.
- Next, the implant, which can perform in several different modes, typically will install itself as a service and then begin beaconing out to an adversary-controlled host.
- If that command-and-control host is online, the malicious service will download and instantiate a backdoor that provides remote access to the attacker, who will see the infected host’s identification information as well as the campaign code.
Names
| Name | Name-Giver |
|---|---|
| Samurai Panda | CrowdStrike |
Country
Sponsor
State-sponsored, PLA Navy
Motivation
- Information theft and espionage
First Seen
2009
Observed Sectors
Observed Countries
Tools
Information
Other Information
Uuid
32e28369-30a3-4675-8e0a-04c91c1def98
Last Card Change
2020-04-14