Putter Panda

Putter Panda is a Chinese threat group that has been attributed to Unit 61486 of the 12th Bureau of the PLA’s 3rd General Staff Department (GSD). [1]

ID: G0024
Associated Groups: APT2, MSUpdater
Version: 1.1
Created: 31 May 2017
Last Modified: 30 March 2020

Associated Group Descriptions

Name Description
APT2

[2]

MSUpdater

[1]

Techniques Used

Domain ID Name Use
Enterprise T1547 .001 Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder

A dropper used by Putter Panda installs itself into the ASEP Registry key HKCU\Software\Microsoft\Windows\CurrentVersion\Run with a value named McUpdate.[1]

Enterprise T1562 .001 Impair Defenses: Disable or Modify Tools

Malware used by Putter Panda attempts to terminate processes corresponding to two components of Sophos Anti-Virus (SAVAdminService.exe and SavService.exe).[1]

Enterprise T1027 Obfuscated Files or Information

Droppers used by Putter Panda use RC4 or a 16-byte XOR key consisting of the bytes 0xA0 – 0xAF to obfuscate payloads.[1]

Enterprise T1055 .001 Process Injection: Dynamic-link Library Injection

An executable dropped onto victims by Putter Panda aims to inject the specified DLL into a process that would normally be accessing the network, including Outlook Express (msinm.exe), Outlook (outlook.exe), Internet Explorer (iexplore.exe), and Firefox (firefox.exe).[1]

Software

ID Name References Techniques
S0066 3PARA RAT [1] Application Layer Protocol: Web Protocols, Encrypted Channel: Symmetric Cryptography, File and Directory Discovery, Indicator Removal on Host: Timestomp
S0065 4H RAT [1] Application Layer Protocol: Web Protocols, Command and Scripting Interpreter: Windows Command Shell, Encrypted Channel: Symmetric Cryptography, File and Directory Discovery, Process Discovery, System Information Discovery
S0068 httpclient [1] Application Layer Protocol: Web Protocols, Command and Scripting Interpreter: Windows Command Shell, Encrypted Channel: Symmetric Cryptography
S0067 pngdowner [1] Application Layer Protocol: Web Protocols, Indicator Removal on Host: File Deletion, Unsecured Credentials: Credentials In Files

References