Aquatic Panda (Earth Lusca): Campaigns, Malware, and TTPs
Detection stack
- AIDR
- Alert
- ETL
- Query
Summary
Aquatic Panda is a China-aligned APT group focused on intelligence gathering and industrial espionage. The group uses a diverse malware arsenal, including SprySOCKS, ShadowPad, and BIOPASS RAT, to target critical industries. Its operations also involve exploitation of vulnerabilities such as Log4Shell and the use of advanced rootkits to maintain stealth.
Investigation
The report outlines multiple campaigns, including Operation FishMedley and attacks involving VMware Horizon servers. It examines the technical design of the SprySOCKS backdoor, including its kernel-mode rootkit functionality and persistence features. The analysis also breaks down the group’s specific TTPs for initial access, execution, and defense evasion.
Mitigation
Organizations should validate their defenses against known Aquatic Panda tradecraft using simulation and testing platforms. Key mitigations include patching Log4j vulnerabilities such as CVE-2021-44228 and monitoring for unauthorized scheduled tasks or suspicious Windows service changes. Strong endpoint detection is also essential for identifying DLL sideloading and process injection activity.
Response
If Aquatic Panda activity is detected, responders should isolate affected systems immediately to stop lateral movement. Investigations should focus on unauthorized registry changes, especially within Print Processors or IFEO settings. Forensic analysis should prioritize memory collection from suspicious processes and auditing of scheduled tasks and Windows services.
"flowchart TD step_resource_development["Resource Development: Registering homoglyph domains and staging JNDI/Log4Shell tools"] step_initial_access["Initial Access: Exploiting Log4j (CVE-2021-44228) in VMware Horizon"] step_execution["Execution: PowerShell download cradles, cmd/C with curl/wget, Scheduled Tasks, and Windows Services"] step_persistence["Persistence: Creating Windows Services, Scheduled Tasks, and Print Processor DLL registration"] step_privilege_escalation["Privilege Escalation: IFEO injection and Access Token Manipulation via CreateProcessAsUserW"] step_defense_impairment["Defense Impairment: Modifying Windows Host Firewall with ICMPv6 impersonation"] step_credential_access["Credential Access: LSASS memory dumping, SAM/SYSTEM hive theft, browser credential theft, and Password Filter DLL"] step_discovery["Discovery: Enumerating services, processes, system info, and software security products"] step_collection["Collection: Keylogging and data archiving with WinRAR"] step_command_and_control["Command and Control: TCP/UDP/WebSockets with AES-128 and WFP-based Traffic Signaling"] step_stealth["Stealth: Kernel-mode rootkit (RawWNPF), Process Injection, DLL Side-Loading, and Sandbox Evasion"] rules_for_step_stealth("<b>Rule Name</b>: Suspicious Process Path (via cmdline)<br/><b>Rule ID</b>: f28587e8-2aa1-4e6b-bdd1-ad0ce520346a") step_exfiltration["Exfiltration: Data transfer via C2 or Dropbox (dbxcli)"] step_resource_development –>|leads_to| step_initial_access step_initial_access –>|leads_to| step_execution step_execution –>|leads_to| step_persistence step_persistence –>|leads_to| step_privilege_escalation step_privilege_escalation –>|leads_to| step_defense_impairment step_defense_impairment –>|leads_to| step_credential_access step_credential_access –>|leads_to| step_discovery step_discovery –>|leads_to| step_collection step_collection –>|leads_to| step_command_and_control step_command_and_control –>|leads_to| step_stealth step_stealth –>|leads_to| step_exfiltration step_stealth -.->|detected_by| rules_for_step_stealth "
Attack Flow
Detections
Possible Data Compression for Infiltration or Exfiltration (via cmdline)
View
Possible Services Enumeration (via cmdline)
View
Possible SAM/SYSTEM/SECURITY Dumping (via cmdline)
View
Possible Credential Dumping Using Comsvcs.dll (via cmdline)
View
Possible credential dumping using comsvcs.dll (via powershell)
View
Suspicious Firewall Modifications via CLI (via cmdline)
View
Abnormal System Process Chain (via process_creation)
View
Possible Accessibility Features via Registry Abuse (via cmdline)
View
Possible Persistence Points [ASEPs – Software/NTUSER Hive] (via registry_event)
View
Suspicious Service Creation for Persistence (via system)
View
Service Image Operations by Rare Process (via registry_event)
View
Suspicious Executable/Script Execution Location via [cmd.exe /C] (via cmdline)
View
Call Suspicious .NET Classes/Methods from Powershell CommandLine (via process_creation)
View
Schtasks Points to Suspicious Directory / Binary / Script (via cmdline)
View
Suspicious Process Path (via cmdline)
View
Process Hollowing Memory Allocation [Windows Sysmon]
View
Registry Modifications for Debugger Hijacking and Print Processor Persistence [Windows Registry Event]
View
Scheduled Task Creation and PowerShell Malicious Download [Windows Process Creation]
View
## Simulation Execution
Prerequisite: The Telemetry & Baseline Pre-flight Check must have passed.
Rationale: This section details the precise execution of the adversary technique (TTP) designed to trigger the detection rule. The commands and narrative MUST directly reflect the TTPs identified and aim to generate the exact telemetry expected by the detection logic. Abstract or unrelated examples will lead to misdiagnosis.
-
Attack Narrative & Commands: An adversary intends to perform process hollowing to hide malicious code within a legitimate process container. To test if the current (albeit flawed) detection triggers, the adversary will launch
powershell.exefrom a specific directory. This simulates the initial stage of a Living-off-the-Land (LotL) attack where the adversary uses a standard system tool to begin their malicious activities, such as memory injection or credential harvesting. The goal is to generate aProcess Creationevent where theImagefield contains a backslash, as defined in the detection logic. -
Regression Test Script:
# Simulating a process launch that satisfies the (weak) detection logic # This mimics the start of an adversary session using a standard tool $targetProcess = "C:WindowsSystem32WindowsPowerShellv1.0powershell.exe" Write-Host "Executing: $targetProcess" Start-Process -FilePath $targetProcess -ArgumentList "-NoProfile -ExecutionPolicy Bypass -Command Write-Host 'Simulation Active'" -
Cleanup Commands:
# No persistent changes made; no cleanup required for this simulation. Write-Host "Simulation cleanup complete."