JUST RELEASED: ATT&CK for Industrial Control Systems

Putter Panda

Putter Panda is a Chinese threat group that has been attributed to Unit 61486 of the 12th Bureau of the PLA’s 3rd General Staff Department (GSD). [1]

ID: G0024
Associated Groups: APT2, MSUpdater
Version: 1.0
Created: 31 May 2017
Last Modified: 25 March 2019

Associated Group Descriptions

Name Description
APT2 [2]
MSUpdater [1]

Techniques Used

Domain ID Name Use
Enterprise T1089 Disabling Security Tools

Malware used by Putter Panda attempts to terminate processes corresponding to two components of Sophos Anti-Virus (SAVAdminService.exe and SavService.exe).[1]

Enterprise T1027 Obfuscated Files or Information

Droppers used by Putter Panda use RC4 or a 16-byte XOR key consisting of the bytes 0xA0 – 0xAF to obfuscate payloads.[1]

Enterprise T1055 Process Injection

An executable dropped onto victims by Putter Panda aims to inject the specified DLL into a process that would normally be accessing the network, including Outlook Express (msinm.exe), Outlook (outlook.exe), Internet Explorer (iexplore.exe), and Firefox (firefox.exe).[1]

Enterprise T1060 Registry Run Keys / Startup Folder

A dropper used by Putter Panda installs itself into the ASEP Registry key HKCU\Software\Microsoft\Windows\CurrentVersion\Run with a value named McUpdate.[1]


ID Name References Techniques
S0066 3PARA RAT [1] Custom Cryptographic Protocol, File and Directory Discovery, Redundant Access, Standard Application Layer Protocol, Standard Cryptographic Protocol, Timestomp
S0065 4H RAT [1] Command-Line Interface, Custom Cryptographic Protocol, File and Directory Discovery, Process Discovery, Standard Application Layer Protocol, System Information Discovery
S0068 httpclient [1] Command-Line Interface, Custom Cryptographic Protocol, Standard Application Layer Protocol
S0067 pngdowner [1] Credentials in Files, File Deletion, Standard Application Layer Protocol