Putter Panda, 3 Minute Profile

Putter Panda relies on spear phishing emails containing malicious PDFs and Microsoft Word Documents to infect its target. Putter Panda’s exploit kit includes two droppers, two RATs, and two tools. One dropper delivers a payload, such as the 4H RAT, to the victim system and installs it. The other dropper exclusively delivers the PNGDOWNER tool. Putter Panda uses the 4H RAT and the 3PARA RAT. The 4H RAT can initiate a remote shell, enumerate running processes, terminate processes, list files and directories, modify timestamps, upload files, download files, and delete files. The RAT communicates over HTTP and the communication is obfuscated by an operation, 1-byte XOR with the key 0xBE. The 3PARA RAT is a second stage, failsafe tool that allows the attacker to regain control of the system if their initial access vector is removed.

plaunit61486

Putter Panda, A 3 Minute Profile

Putter Panda relies on spear phishing emails containing malicious PDFs and Microsoft Word Documents to infect its target. Putter Panda’s exploit kit includes two droppers, two RATs, and two tools. One dropper delivers a payload, such as the 4H RAT, to the victim system and installs it. The other dropper exclusively delivers the PNGDOWNER tool. Putter Panda uses the 4H RAT and the 3PARA RAT. The 4H RAT can initiate a remote shell, enumerate running processes, terminate processes, list files and directories, modify timestamps, upload files, download files, and delete files. The RAT communicates over HTTP and the communication is obfuscated by an operation, 1-byte XOR with the key 0xBE. The 3PARA RAT is a second stage, failsafe tool that allows the attacker to regain control of the system if their initial access vector is removed. The 3PARA RAT creates a file map at startup to verify that there is not another instance of the RAT running. The RAT is capable of remaining dormant for prearranged or commanded periods of time. The RAT only has limited commands, which include retrieving file or disk metadata, changing the working directory of the current C2 session, executing a command, and listing the current working directory. The first tool, PNGDOWNER is a simple download and execute tool. The second tool, HTTPCLIENT is a backup tool. The 3PARA RAT communicates over HTTP and authenticates with a 256-byte hash and a hard-coded string.

Putter Panda, 3 Minute Profile

Most commonly used name for APT2 is Putter Panda and it is connected to the People’s Liberation Army’s (PLA) Third General Staff Department (GSD) 12th Bureau Military Unit Cover Designator (MUCD) 61486. PLA Unit 61486 supports China’s space surveillance network. The group may be responsible for space based signal intelligence (SIGINT) collection.