APT27 - Emissary Panda Activity

 1title: APT27 - Emissary Panda Activity
 2id: 9aa01d62-7667-4d3b-acb8-8cb5103e2014
 3status: test
 4description: Detects the execution of DLL side-loading malware used by threat group Emissary Panda aka APT27
 5references:
 6    - https://app.any.run/tasks/579e7587-f09d-4aae-8b07-472833262965
 7    - https://twitter.com/cyb3rops/status/1168863899531132929
 8    - https://research.nccgroup.com/2018/05/18/emissary-panda-a-potential-new-malicious-tool/
 9author: Florian Roth (Nextron Systems)
10date: 2018/09/03
11modified: 2023/03/09
12tags:
13    - attack.defense_evasion
14    - attack.t1574.002
15    - attack.g0027
16    - detection.emerging_threats
17logsource:
18    category: process_creation
19    product: windows
20detection:
21    selection_sllauncher:
22        ParentImage|endswith: '\sllauncher.exe'
23        Image|endswith: '\svchost.exe'
24    selection_svchost:
25        ParentImage|contains: '\AppData\Roaming\'
26        Image|endswith: '\svchost.exe'
27        CommandLine|contains: '-k'
28    condition: 1 of selection_*
29falsepositives:
30    - Unlikely
31level: critical

References

• Analysis 7z.exe (MD5: A5862F5701542A36354DBF17D52F1E4A) Malicious activity - Interactive analysis ANY.RUN

  

  Interactive malware hunting service. Live testing of most type of threats in any environments. No installation and no waiting necessary.

  
  Read More

• Something went wrong, but don’t fret — let’s give it another shot.

  
  Read More

• Emissary Panda – A potential new malicious tool

  

  Introduction Hacking groups linked to the Chinese state are not a new threat. In fact, for the last couple years they have tended to be the most active along with Russian state affiliated hacking g…

  
  Read More

Related rules

• Potential PlugX Activity
• Winnti Malware HK University Campaign
• Winnti Pipemon Characteristics
• APT PRIVATELOG Image Load Pattern
• COLDSTEEL Persistence Service Creation