Group description: Putter Panda

attack.mitre.org · MITRE ATT&CK · 20 hours ago · news
quality 2/10 · low quality
0 net
Tags
mitre attack
Putter Panda, APT2, MSUpdater, Group G0024 | MITRE ATT&CK® ATT&CK v19 will be released April 28th! Check out this blog post for information on the planned deprecation of Enterprise's Defense Evasion tactic in the upcoming release. Home Groups Putter Panda Putter Panda Putter Panda is a Chinese threat group that has been attributed to Unit 61486 of the 12th Bureau of the PLA’s 3rd General Staff Department (GSD). [1] ID: G0024 ⓘ Associated Groups : APT2, MSUpdater Version : 1.2 Created: 31 May 2017 Last Modified: 17 November 2024 Version Permalink Live Version Associated Group Descriptions Name Description APT2 [2] MSUpdater [1] ATT&CK ® Navigator Layers Enterprise Layer download view Techniques Used Domain ID Name Use Enterprise T1547 .001 Boot or Logon Autostart Execution : Registry Run Keys / Startup Folder A dropper used by Putter Panda installs itself into the ASEP Registry key HKCU\Software\Microsoft\Windows\CurrentVersion\Run with a value named McUpdate. [1] Enterprise T1562 .001 Impair Defenses : Disable or Modify Tools Malware used by Putter Panda attempts to terminate processes corresponding to two components of Sophos Anti-Virus (SAVAdminService.exe and SavService.exe). [1] Enterprise T1027 .013 Obfuscated Files or Information : Encrypted/Encoded File Droppers used by Putter Panda use RC4 or a 16-byte XOR key consisting of the bytes 0xA0 – 0xAF to obfuscate payloads. [1] Enterprise T1055 .001 Process Injection : Dynamic-link Library Injection An executable dropped onto victims by Putter Panda aims to inject the specified DLL into a process that would normally be accessing the network, including Outlook Express (msinm.exe), Outlook (outlook.exe), Internet Explorer (iexplore.exe), and Firefox (firefox.exe). [1] Software ID Name References Techniques S0066 3PARA RAT [1] Application Layer Protocol : Web Protocols , Encrypted Channel : Symmetric Cryptography , File and Directory Discovery , Indicator Removal : Timestomp S0065 4H RAT [1] Application Layer Protocol : Web Protocols , Command and Scripting Interpreter : Windows Command Shell , Encrypted Channel : Symmetric Cryptography , File and Directory Discovery , Process Discovery , System Information Discovery S0068 httpclient [1] Application Layer Protocol : Web Protocols , Command and Scripting Interpreter : Windows Command Shell , Encrypted Channel : Symmetric Cryptography S0067 pngdowner [1] Application Layer Protocol : Web Protocols , Indicator Removal : File Deletion , Unsecured Credentials : Credentials In Files References Crowdstrike Global Intelligence Team. (2014, June 9). CrowdStrike Intelligence Report: Putter Panda. Retrieved January 22, 2016. Gross, J. and Walter, J.. (2016, January 12). Puttering into the Future.... Retrieved November 17, 2024. × load more results
← Back to stories