1. Home
  2. Groups
  3. Putter Panda

Putter Panda

Putter Panda is a Chinese threat group that has been attributed to Unit 61486 of the 12th Bureau of the PLA’s 3rd General Staff Department (GSD). [1]

ID: G0024
Associated Groups: APT2, MSUpdater
Version: 1.1
Created: 31 May 2017
Last Modified: 30 March 2020

Associated Group Descriptions

Name Description
APT2

[2]
MSUpdater

[1]
Enterprise Layer
download view

Techniques Used

Domain ID Name Use
Enterprise T1547 .001 Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder

A dropper used by Putter Panda installs itself into the ASEP Registry key HKCU\Software\Microsoft\Windows\CurrentVersion\Run with a value named McUpdate.[1]
Enterprise T1562 .001 Impair Defenses: Disable or Modify Tools

Malware used by Putter Panda attempts to terminate processes corresponding to two components of Sophos Anti-Virus (SAVAdminService.exe and SavService.exe).[1]
Enterprise T1027 Obfuscated Files or Information

Droppers used by Putter Panda use RC4 or a 16-byte XOR key consisting of the bytes 0xA0 – 0xAF to obfuscate payloads.[1]
Enterprise T1055 .001 Process Injection: Dynamic-link Library Injection

An executable dropped onto victims by Putter Panda aims to inject the specified DLL into a process that would normally be accessing the network, including Outlook Express (msinm.exe), Outlook (outlook.exe), Internet Explorer (iexplore.exe), and Firefox (firefox.exe).[1]

Software

ID Name References Techniques
S0066 3PARA RAT [1] Application Layer Protocol: Web Protocols, Encrypted Channel: Symmetric Cryptography, File and Directory Discovery, Indicator Removal on Host: Timestomp
S0065 4H RAT [1] Application Layer Protocol: Web Protocols, Command and Scripting Interpreter: Windows Command Shell, Encrypted Channel: Symmetric Cryptography, File and Directory Discovery, Process Discovery, System Information Discovery
S0068 httpclient [1] Application Layer Protocol: Web Protocols, Command and Scripting Interpreter: Windows Command Shell, Encrypted Channel: Symmetric Cryptography
S0067 pngdowner [1] Application Layer Protocol: Web Protocols, Indicator Removal on Host: File Deletion, Unsecured Credentials: Credentials In Files

References

  1. Crowdstrike Global Intelligence Team. (2014, June 9). CrowdStrike Intelligence Report: Putter Panda. Retrieved January 22, 2016.
  1. Gross, J. and Walter, J.. (2016, January 12). Puttering into the Future.... Retrieved January 22, 2016.