Skip to content

G0024 Putter Panda

Putter Panda is a Chinese threat group that has been attributed to Unit 61486 of the 12th Bureau of the PLA’s 3rd General Staff Department (GSD). 1

Item Value
ID G0024
Associated Names APT2, MSUpdater
Version 1.1
Created 31 May 2017
Last Modified 30 March 2020
Navigation Layer View In ATT&CK® Navigator

Associated Group Descriptions

Name Description
APT2 2
MSUpdater 1

Techniques Used

Domain ID Name Use
enterprise T1547 Boot or Logon Autostart Execution -
enterprise T1547.001 Registry Run Keys / Startup Folder A dropper used by Putter Panda installs itself into the ASEP Registry key HKCU\Software\Microsoft\Windows\CurrentVersion\Run with a value named McUpdate.1
enterprise T1562 Impair Defenses -
enterprise T1562.001 Disable or Modify Tools Malware used by Putter Panda attempts to terminate processes corresponding to two components of Sophos Anti-Virus (SAVAdminService.exe and SavService.exe).1
enterprise T1027 Obfuscated Files or Information Droppers used by Putter Panda use RC4 or a 16-byte XOR key consisting of the bytes 0xA0 – 0xAF to obfuscate payloads.1
enterprise T1055 Process Injection -
enterprise T1055.001 Dynamic-link Library Injection An executable dropped onto victims by Putter Panda aims to inject the specified DLL into a process that would normally be accessing the network, including Outlook Express (msinm.exe), Outlook (outlook.exe), Internet Explorer (iexplore.exe), and Firefox (firefox.exe).1

Software

ID Name References Techniques
S0066 3PARA RAT - Web Protocols:Application Layer Protocol Symmetric Cryptography:Encrypted Channel File and Directory Discovery Timestomp:Indicator Removal on Host
S0065 4H RAT - Web Protocols:Application Layer Protocol Windows Command Shell:Command and Scripting Interpreter Symmetric Cryptography:Encrypted Channel File and Directory Discovery Process Discovery System Information Discovery
S0068 httpclient - Web Protocols:Application Layer Protocol Windows Command Shell:Command and Scripting Interpreter Symmetric Cryptography:Encrypted Channel
S0067 pngdowner - Web Protocols:Application Layer Protocol File Deletion:Indicator Removal on Host Credentials In Files:Unsecured Credentials

References

Back to top