APT2

Your consent is required to display this content from youtube - Privacy Settings

Most commonly used name for APT2 is Putter Panda and it is connected to the People’s Liberation Army’s (PLA) Third General Staff Department (GSD) 12th Bureau Military Unit Cover Designator (MUCD) 61486. PLA Unit 61486 supports China’s space surveillance network. The group may be responsible for space based signal intelligence (SIGINT) collection. The group has been actively conducting attacks since at least 2007 and is based out of the Zhabai district of Shanghai, China. PLA Unit 61486 shares some infrastructure with PLA Unit 61398. Putter Panda targets the United States Government, Defense sector, Research sector, and Technologies sectors. According to CrowdStrike, the United States Defense industry, communication industries, and European satellite and aerospace industries are particularly targeted.

Click to Share This Post

Putter Panda relies on spear phishing emails containing malicious PDFs and Microsoft Word Documents to infect its target. Putter Panda’s exploit kit includes two droppers, two RATs, and two tools. One dropper delivers a payload, such as the 4H RAT, to the victim system and installs it. The other dropper exclusively delivers the PNGDOWNER tool. Putter Panda uses the 4H RAT and the 3PARA RAT. The 4H RAT can initiate a remote shell, enumerate running processes, terminate processes, list files and directories, modify timestamps, upload files, download files, and delete files. The RAT communicates over HTTP and the communication is obfuscated by an operation, 1-byte XOR with the key 0xBE. The 3PARA RAT is a second stage, failsafe tool that allows the attacker to regain control of the system if their initial access vector is removed. The 3PARA RAT creates a file map at startup to verify that there is not another instance of the RAT running. The RAT is capable of remaining dormant for prearranged or commanded periods of time. The RAT only has limited commands, which include retrieving file or disk metadata, changing the working directory of the current C2 session, executing a command, and listing the current working directory. The first tool, PNGDOWNER is a simple download and execute tool. The second tool, HTTPCLIENT is a backup tool. The 3PARA RAT communicates over HTTP and authenticates with a 256-byte hash and a hard-coded string.

Click To share this Post
  • Type: Nation-State-SponsoredAPT2 Status: Believed Active

    APT2 Other Names: Putter Panda/ PLA Unit 61486/ TG-6952/ Group 36/ SearchFire

    APT2 Active Since/Discovered: 2007

    APT2 Targets:

    • Exfiltrates intellectual property, trade secrets, and other information
    • U.S. and EU

    APT2 Target Sectors: Government entities, the Aerospace sector, the Defense sector, the Communication sector, the Technologies sector, and research facilities

    Malware:

    • MSUpdater
    • 4H RAT and 3PARA RAT
      • initiate emote shell, enumerate running processes, terminate processes, list files and directories, modify timestamps, upload files, download files, and delete files
    • PNGDOWNER
    • HTTPCLIENT

    Preferred Attack Vector:  Spear-Phishing (PDFs and WORD docs)

    TTP:

    • CVE-2012-0158

    Unique:

    • People’s Liberation Army’s (PLA) Third General Staff Department (GSD) 12th Bureau Military Unit Cover Designator (MUCD) 61486
    • Supports China’s space surveillance network and maintains close ties with the state-sponsored Beijing Remote Sensing Research Institute
    • Based out of Zhabai district Shanghai
Click Here to share this post