In our previous blog we talked about a chinese threat actor named Deep Panda who used a well known malware family Sakula to infiltrate Anthem’s network.
We at SlashNext Labs, track these type of threat actors and tools they use as part of daily routine. We have a comprehensive association database namedxIntel, using which we are often able to quickly:
- Identify a threat group based on existing associations.
- Draw a trend of the evolution of the tools used by a threat group.
- Map the CnC infrastructure used by a threat group.
After thoroughly analyzing the Anthem breach and the involved Sakula variant, we wanted to find more about Deep Panda. Who is their next target?
Upon searching Gnosis powered by our SlashNext Active Cyber Defense System, we found many Sakula variants largely bypassing existing security solutions. While mining Gnosis, for new Sakula variants we stumbled upon a very interesting sample. This Sakula variant had zero detections on the popular VirusTotal service at the time we detected it. This provides some clues as to why the Sakula malware involved in Anthem breach went undetected for such a long time. Deep Panda is good at encrypting malware binaries and using complex root-kits.
Sakula variant undetectable by all 56 security vendors listed on VirusTotal.
After carefully analyzing the payload of this malware we found that its new victim was Mongolian Govt. Due to increasing foreign relationships between USA and Mongolia , they have been often target of the chinese nation state threat actors especially Deep Panda.
The diagram below provides a graphical view of the relationship between the undetected sample and other Derusbi/Sakula variants including the one used in Anthem breach.
CnC communication of the new Sakula.D looks like this:
Both Anthem and this new variant were detected by SlashNext Active Cyber Defense System without any prior knowledge or use of a signature.