# 20150814-256-CSIR-15005 Stalker Panda **For** ## SIRIUS Task Order PIQUE **Submitted to:** **U.S. Government** **Submitted by:** **Raytheon Blackbird Technologies, Inc.** 13900 Lincoln Park Drive Suite 400 Herndon, VA 20171 **14 August 2015** _This document includes data that shall not be disclosed outside the Government and shall not be duplicated, used,_ _or disclosed—in whole or in part—for any purpose other than to evaluate this concept. If, however, a contract is_ _awarded to Blackbird as a result of—or in connection with—the submission of these data, the Government shall_ _have the right to duplicate, use, or disclose the data to the extent provided in the resulting contract. This_ _restriction does not limit the Government’s right to use information contained in these data if they are obtained_ _from another source without restriction._ _This document contains commercial or financial information, or trade secrets, of Raytheon Blackbird Technologies,_ _Inc. that are confidential and exempt from disclosure to the public under the Freedom of Information Act, 5 U.S.C._ _552(b)(4), and unlawful disclosure thereof is a violation of the Trade Secrets Act, 18 U.S.C. 1905. Public disclosure_ _of any such information or trade secrets shall not be made without the prior written permission of Raytheon_ _Blackbird Technologies, Inc._ ----- **20150814-256-CSIR-15005-Stalker Panda** ## (U) Table of Contents **1.0** **(U) Analysis Summary ...................................................................................... 1** **2.0** **(U) Description of the Technique ...................................................................... 2** **3.0** **(U) Identification of Affected Applications ........................................................ 2** **4.0** **(U) Related Techniques ..................................................................................... 2** **5.0** **(U) Configurable Parameters ............................................................................ 2** **6.0** **(U) Exploitation Method and Vectors ................................................................. 2** **7.0** **(U) Caveats ....................................................................................................... 2** **8.0** **(U) Risks ........................................................................................................... 2** **9.0** **(U) Recommendations ...................................................................................... 2** Raytheon Blackbird Technologies, Inc. ii 14 August 2015 ----- **20150814-256-CSIR-15005-Stalker Panda** ## 1.0 (U) Analysis Summary (S//NF) This report outlines the series of attacks and tools attributed to a suspected Chinese affiliated group known as “Stalker Panda.” The group appears to have close ties to the Chinese National University of Defense and Technology, which is possibly linked to the PLA. Stalker Panda has been observed conducting targeted attacks against Japan, Taiwan, Hong Kong, and the United States. The attacks appear to be centered on political, media, and engineering sectors. The group appears to have been active since around 2010 and they maintain and upgrade their tools regularly. (S//NF) Stalker Panda has been observed using several different RATs that seem to be exclusive to the group. The RATs the group uses are Elirks, SharpServer, Blogspot, and the XUni platform. Elirks is the subject of Pique report 20150814-257-CSIT-15016-Elirks. SharpServer was developed for .Net. (S//NF) A fairly unique aspect of the observed Stalker Panda attacks is their use of social media and blog sites as first stage (cutout) command and control (C2) infrastructure. This 2-stage C2 infrastructure provides some obfuscation of the main C2 servers and provides some flexibility in communications because the first stage social media/blog site nodes can be reconfigured at will. (S//NF) Stalker Panda seems to favor spear phishing email campaigns as their attack vector. A cases, the victims were social engineered into browsing to a compromised website that leveraged CVE-2014-6332 (Windows OLE vulnerability). Once the vulnerability is triggered, malicious content is downloaded to the victim’s machine using a PowerShell script. In other instances, Stalker Panda has been observed attaching malicious documents (.PDF) to their email spears leveraging CVE-2011-0611 (Adobe Flash, Reader, and Acrobat vulnerability). (S//NF) Stalker Panda’s current ‘go to’ implant appears to be Elirks, which is detailed in another report, however we’ll provide a brief overview here. Elirks uses a standard persistence technique whereby they create a shortcut in the victim’s startup folder. Elirks uses an interesting custom cryptographic routing to provide obfuscation. The configuration file is stored in the binary encrypted, and the decryption key itself is also encrypted. The algorithm combines 8 DWORDs with Boolean operations (right-shift 25 bits and left-shift 7 bits) to derive a 16-bit key. The resulting key is used with a modified AES-128 algorithm where the key expansion function uses a bit-rotation of 8 bits to the right (ROR-8) instead of left as specified in the AES standard. The capabilities once on platform. Elirks uses the multi-stage C2 communications pattern with social media or blog sites as the first node. (S//NF) SharpServer is a .Net-based RAT with similar capabilities as Elirks, but without a persistence mechanism. The code is obfuscated with .Net’s dotfuscator (which is fairly easy to reverse). The report mentions that SharpServer exhibits a “low level of sophistication.” (S//NF) Blogspot is a RAT that also uses the multi-stage C2 infrastructure as does Elirks and SharpServer. Blogspot differs from Elirks and SharpServer in one respect, Elirks and SharpServer have the next-stage C2 information stored in the form visible to arbitrary website visitors, Blogspot’s tokens do not render and are not visible to other visitors. There is nothing interesting, unique, or sophisticated about the Blogspot RAT. Raytheon Blackbird Technologies, Inc. 1 14 August 2015 ----- **20150814-256-CSIR-15005-Stalker Panda** (S//NF) The XUni RAT is closely related to Blogspot. Earlier versions of XUni have been seen since around 2010, but an updated version has been observed in operation in early 2014. The report authors speculate that the 2014 version of XUni is meant to replace Blogspot. XUni uses the same C2 protocol as the other RATS used by Stalker Panda (multi-stage C2 architecture). One interesting aspect of Xuni’s first-stage social media site interaction is it automatically leaves comments on the site to mimic benign user activity. Like the other RATs, XUni is a simplistic RAT in terms of functionality and is used primarily to download additional capabilities once on target. XUni achieves persistence by placing a shortcut in the victim’s startup folder. (S//NF) While an interesting report on Stalker Panda’s activities, there is nothing unique or interesting in how it implements its functionality. Their RAT multi-stage C2 infrastructure is interesting but more a notable overall architectural item but not something we can make a PoC recommendation on. There are no PoC recommendation from this report. ## 2.0 (U) Description of the Technique (S//NF) Not applicable since there are no PoC recommendations from this report. ## 3.0 (U) Identification of Affected Applications (U) Windows. ## 4.0 (U) Related Techniques (S//NF) Generic RATs and distributed C2 communications. ## 5.0 (U) Configurable Parameters (S//NF) Varied depending on the multi-stage C2 configuration. ## 6.0 (U) Exploitation Method and Vectors (S//NF) The exploitation methods discussed in this report are CVE-2011-0611 (Adobe Flash, Reader, and Acrobat vulnerability) and CVE-2014-6332 (Windows OLE vulnerability). The attack vector discussed is spear phishing email campaigns and social engineering. ## 7.0 (U) Caveats (U) None. ## 8.0 (U) Risks (S//NF) Not applicable as no PoCs are recommended. ## 9.0 (U) Recommendations (S//NF) No PoCs are recommended. Raytheon Blackbird Technologies, Inc. 2 14 August 2015 -----