Group: Putter Panda, APT2, MSUpdater

From enterprise
Jump to: navigation, search
Putter Panda, APT2, MSUpdater
ID G0024
Aliases Putter Panda, APT2, MSUpdater

Putter Panda is a Chinese threat group that has been attributed to Unit 61486 of the 12th Bureau of the PLA’s 3rd General Staff Department (GSD).1

Alias Descriptions

  • Putter Panda - 12
  • APT2 - 2
  • MSUpdater - 1

Techniques Used

  • Registry Run Keys / Start Folder - A dropper used by Putter Panda installs itself into the ASEP Registry key HKCU\Software\Microsoft\Windows\CurrentVersion\Run with a value named McUpdate.1
  • Process Injection - An executable dropped onto victims by Putter Panda aims to inject the specified DLL into a process that would normally be accessing the network, including Outlook Express (msinm.exe), Outlook (outlook.exe), Internet Explorer (iexplore.exe), and Firefox (firefox.exe).1
  • Disabling Security Tools - Malware used by Putter Panda attempts to terminate processes corresponding to two components of Sophos Anti-Virus (SAVAdminService.exe and SavService.exe).1