Putter Panda
Putter Panda is a Chinese threat group that has been attributed to Unit 61486 of the 12th Bureau of the PLA’s 3rd General Staff Department (GSD). [1]
Associated Group Descriptions
Techniques Used
| Domain | ID | Name | Use | |
|---|---|---|---|---|
| Enterprise | T1547 | .001 | 启动或登录自动启动执行: Registry Run Keys / Startup Folder |
A dropper used by Putter Panda installs itself into the ASEP Registry key |
| Enterprise | T1562 | .001 | 妨碍防御: Disable or Modify Tools |
Malware used by Putter Panda attempts to terminate processes corresponding to two components of Sophos Anti-Virus (SAVAdminService.exe and SavService.exe).[1] |
| Enterprise | T1027 | .013 | 混淆文件或信息: Encrypted/Encoded File |
Droppers used by Putter Panda use RC4 or a 16-byte XOR key consisting of the bytes 0xA0 – 0xAF to obfuscate payloads.[1] |
| Enterprise | T1055 | .001 | 进程注入: Dynamic-link Library Injection |
An executable dropped onto victims by Putter Panda aims to inject the specified DLL into a process that would normally be accessing the network, including Outlook Express (msinm.exe), Outlook (outlook.exe), Internet Explorer (iexplore.exe), and Firefox (firefox.exe).[1] |
Software
| ID | Name | References | Techniques |
|---|---|---|---|
| S0066 | 3PARA RAT | [1] | 加密通道: Symmetric Cryptography, 应用层协议: Web Protocols, 文件和目录发现, 移除指标: Timestomp |
| S0065 | 4H RAT | [1] | 加密通道: Symmetric Cryptography, 命令与脚本解释器: Windows Command Shell, 应用层协议: Web Protocols, 文件和目录发现, 系统信息发现, 进程发现 |
| S0068 | httpclient | [1] | 加密通道: Symmetric Cryptography, 命令与脚本解释器: Windows Command Shell, 应用层协议: Web Protocols |
| S0067 | pngdowner | [1] | 应用层协议: Web Protocols, 未加密凭证: Credentials In Files, 移除指标: File Deletion |