Putter Panda

Putter Panda is a Chinese threat group that has been attributed to Unit 61486 of the 12th Bureau of the PLA’s 3rd General Staff Department (GSD). [1]

ID: G0024
Version: 1.0

Associated Group Descriptions

NameDescription
APT2[2]
MSUpdater[1]

Techniques Used

DomainIDNameUse
EnterpriseT1089Disabling Security ToolsMalware used by Putter Panda attempts to terminate processes corresponding to two components of Sophos Anti-Virus (SAVAdminService.exe and SavService.exe).[1]
EnterpriseT1027Obfuscated Files or InformationDroppers used by Putter Panda use RC4 or a 16-byte XOR key consisting of the bytes 0xA0 – 0xAF to obfuscate payloads.[1]
EnterpriseT1055Process InjectionAn executable dropped onto victims by Putter Panda aims to inject the specified DLL into a process that would normally be accessing the network, including Outlook Express (msinm.exe), Outlook (outlook.exe), Internet Explorer (iexplore.exe), and Firefox (firefox.exe).[1]
EnterpriseT1060Registry Run Keys / Startup FolderA dropper used by Putter Panda installs itself into the ASEP Registry key HKCU\Software\Microsoft\Windows\CurrentVersion\Run with a value named McUpdate.[1]

Software

IDNameReferencesTechniques
S00663PARA RAT[1]Custom Cryptographic Protocol, File and Directory Discovery, Redundant Access, Standard Application Layer Protocol, Standard Cryptographic Protocol, Timestomp
S00654H RAT[1]Command-Line Interface, Custom Cryptographic Protocol, File and Directory Discovery, Process Discovery, Standard Application Layer Protocol, System Information Discovery
S0068httpclient[1]Command-Line Interface, Custom Cryptographic Protocol, Standard Application Layer Protocol
S0067pngdowner[1]Credentials in Files, File Deletion, Standard Application Layer Protocol

References