APT attackers thought to be operating from China often seem financed by the government, but there are other groups that work for the highest bidder, which is usually a private sector company looking for information that will squash their competition.
One such group is Pitty Tiger, so named by security researchers on account of remote access tool (RAT) they seem to favour and which has been used exclusively by them.
The group is thought to have been active since 2011 (possibly even earlier), and has been targeting a number of private companies operating in different sectors: defense, telecommunication, government, energy, and even web development. According to the researchers from AIRBUS Defence & Space’s CyberSecurity unit, most of these firms are based in Europe.
The group’s attacks often begin with spear-phishing emails carrying malware, or with targeted watering hole attacks – both aimed at workstation workers. Victims download a booby-trapped Word or Excel document that exploits one of several existing vulnerabilities. It’s good to point out that all of them have already been patched, and that the group has yet to use a zero-day in their attacks.
The exploitation allows the attackers to install one of a number of RATs in their arsenal: the aforementioned PittyTiger, the CT RAT (which seems to be an evolution of PittyTiger), the MM RAT (“Goldsun”) and the Paladin RAT (a variant of Gh0st RAT).
“Although we have not been able to find evidence of any attack aimed at exploiting vulnerabilities on the group’s targets servers, we have been able to record several vulnerability scanning launched from one C&C server straight to the targets,” the researchers shared.
“The attackers have been using different vulnerability scanners aimed at their targets. While some targets have been scanned with “generic” vulnerability scanning tools like HScan or Fluxay and port scanners like Nmap, some other targets have been scanned for very specific vulnerabilities, like a ZyWALL vulnerability or a Fortinet product.”
Also, the group has been seen exploiting the Heartbleed bug to get admin credentials, which are then used to attempt to move laterally within the organization’s network and, ultimately, to exfiltrate its intellectual property.
But “running automated vulnerability scanners on whole ranges of IP addresses used by the targets or on several domains is a very noisy way to collect information and find server vulnerabilities,” the researchers pointed out.
“We would advocate that this method is unwise when you want to stay furtive, and doing it from a C&C server is very surprising, to say the least. While the Pitty Tiger group is experienced on some aspects on its running APT campaigns, it definitely lacks some maturity here.”
The researchers managed to discover a number of C&Cs used by the group by analyzing a variant of the PittyTiger malware, and have managed to access three of them by exploiting misconfigured access control of several folders.
This allowed them to root around and spot a number of malware and tools used by the group: the aforementioned RATs, email espionage tools, password dumpers, network scanners, vulnerability scanners, and so on.
“What is rare to find is the controller part of those tools. We have been lucky enough to get the controller part of Pitty Tiger and CT RAT, and even to get a kind of hybrid controller made for CT RAT but also supporting Pitty Tiger. We suppose that the CT RAT is the new evolution of Pitty Tiger and that it will replace Pitty Tiger in the following months,” they say.
“The presence of a Chinese version of ‘calc.exe’, the official calculator provided in Microsoft Windows, is interesting. Not only is it one more indicator of a probable Chinese origin, but also an indicator that this server was probably used as a test base, in addition to being operational and controlling infected machines from different targets.”
The researchers have also some theories about the group’s structure, and believe they have identified a bot operator position, a malware development position, a coordinator position and a customer relationship manager position (click on the screenshot to enlarge it):
The use of Chinese tools, RATs developed by Chinese-speaking developers, the decoy Word document written in Chinese, and the IP addresses used for the hosting of the C&C domains (mainly located in Taipei and Hong Kong City) all point to the group being based in China.
For more and extensive technical details about the group’s operations, check out this whitepaper.