G0024 Putter Panda

Putter Panda is a Chinese threat group that has been attributed to Unit 61486 of the 12th Bureau of the PLA’s 3rd General Staff Department (GSD). ¹

Associated Group Descriptions

Name	Description
APT2	²
MSUpdater	¹

Domain	ID	Name	Use
enterprise	T1547	Boot or Logon Autostart Execution	-
enterprise	T1547.001	Registry Run Keys / Startup Folder	A dropper used by Putter Panda installs itself into the ASEP Registry key `HKCU\Software\Microsoft\Windows\CurrentVersion\Run` with a value named McUpdate.¹
enterprise	T1562	Impair Defenses	-
enterprise	T1562.001	Disable or Modify Tools	Malware used by Putter Panda attempts to terminate processes corresponding to two components of Sophos Anti-Virus (SAVAdminService.exe and SavService.exe).¹
enterprise	T1027	Obfuscated Files or Information	Droppers used by Putter Panda use RC4 or a 16-byte XOR key consisting of the bytes 0xA0 – 0xAF to obfuscate payloads.¹
enterprise	T1055	Process Injection	-
enterprise	T1055.001	Dynamic-link Library Injection	An executable dropped onto victims by Putter Panda aims to inject the specified DLL into a process that would normally be accessing the network, including Outlook Express (msinm.exe), Outlook (outlook.exe), Internet Explorer (iexplore.exe), and Firefox (firefox.exe).¹

ID	Name	References	Techniques
S0066	3PARA RAT	¹	Web Protocols:Application Layer Protocol Symmetric Cryptography:Encrypted Channel File and Directory Discovery Timestomp:Indicator Removal
S0065	4H RAT	¹	Web Protocols:Application Layer Protocol Windows Command Shell:Command and Scripting Interpreter Symmetric Cryptography:Encrypted Channel File and Directory Discovery Process Discovery System Information Discovery
S0068	httpclient	¹	Web Protocols:Application Layer Protocol Windows Command Shell:Command and Scripting Interpreter Symmetric Cryptography:Encrypted Channel
S0067	pngdowner	¹	Web Protocols:Application Layer Protocol File Deletion:Indicator Removal Credentials In Files:Unsecured Credentials