# Whois Numbered Panda

Last week’s Intelligence blog post featured Anchor Panda, one of the many adversary groups that CrowdStrike tracks.  The adversary is the human component in an attack that one should focus on.  It is not sufficient to simply identify ‘Chinese-based hackers’; it is important to understand the adversary group that has targeted your enterprise and what intelligence they are there to collect.  By understanding that there are multiple groups and that they all have different tactics, techniques, and practices (TTPs), you can begin to understand the nature of the threat, what they are looking to collect, and raise the operational cost in order to make targeting your enterprise a costly and difficult endeavor.

Numbered Panda has a long list of high-profile victims and is known by a number of names including: DYNCALC, IXESHE, JOY RAT, APT-12, etc.  Numbered Panda has targeted a variety of victims including but not limited to media outlets, high-tech companies, and multiple governments. Numbered Panda has targeted organizations in time-sensitive operations such as the Fukushima Reactor Incident of 2011, likely filling intelligence gaps in the ground cleanup/mitigation operations.  Screen saver files, which are binary executables and PDF documents, are common Numbered Panda weaponization tactics.  One of the most interesting techniques that Numbered Panda likes to use is to dynamically calculate the Command and Control (C2) port by resolving a DNS.  This effectively helps Numbered Panda bypass egress filtering implemented to prevent unauthorized communications on some enterprises.  The malware will typically use two DNS names for communication: one is used for command and control; the other is used with an algorithm to calculate the port to communicate to.  There are several variations of the algorithm used to calculate the C2 port, but one of the most common is to multiply the first two octets of the IP address and add the third octet to that value.  This is typically represented as: (A * B) + C – common values might be 200.2.43.X, which would result in communication on port 443.  Numbered Panda will frequently use blogs or WordPress in the c2 infrastructure, which helps to make the network traffic look more legitimate.  CrowdStrike has observed Numbered Panda targeting high-tech, defense contractors, media organizations, and western governments.  The following intrusion detection rules were written and tested by the CrowdStrike Global Threat Analysis Cell (GTAC) with performance and low false positives in mind – just remember to change the Signature ID (SID) in the IDS rules.  Disclosure of this information went through the same IGL process as discussed in the Whois Anchor Panda blog post.

alert tcp $HOME_NET any ->$EXTERNAL_NET any (msg: "[CrowdStrike]
NUMBERED PANDA - Joy RAT Variant 1"; flow: from_client,established;
content: "6YmV|7c 22|"; depth: 6; sid: xxx; rev: 2; )

alert tcp $HOME_NET any ->$EXTERNAL_NET any (msg: "[CrowdStrike]
NUMBERED PANDA - Joy RAT Variant 2"; flow: from_client, established;
content: "FyojU"; depth: 6; sid: xxx; rev: 2;)

alert tcp $HOME_NET any ->$EXTERNAL_NET any  (msg: "[CrowdStrike]
NUMBERED PANDA - Joy RAT Variant 3"; flow: from_client,established;
content: "yb|13|j["; depth: 5; sid: xxx; rev: 2;)`