| Names | APT24 (Mandiant), PittyTiger (FireEye), Pitty Panda (CrowdStrike), Manganese (Microsoft) |
| Location | China |
| Date of initial activity | 2011 |
| Motivation | Information theft and espionage |
| Associated tools | Enfal, Gh0st RAT, gsecdump, Leo RAT, Mimikatz, Paladin RAT, pgift, Pitty, Poison Ivy. |
Overview
APT24 is known to have targeted organizations headquartered in countries including the U.S. and Taiwan. This group has historically used the RAR archive utility to encrypt and compress stolen data prior to transferring it out of the network. Data theft exfiltrated from this actor mainly focused on documents with political significance, suggesting its intent is to monitor the positions of various nation states on issues applicable to China’s ongoing territorial or sovereignty dispute.
Targets
Defense, Government, Telecommunications and Web development. Countries: Taiwan and Europe.
Attack vectors
This group leverages social engineering to deliver spear phishing emails, in a variety of languages including English, French and Chinese, and email phishing pages to their targets. The attackers use a variety of different malware and tools to maintain command and control (C2) and move laterally through their targets’ networks.
How they work
The attackers sent out emails written in English and French that appeared to come from someone within the targeted organization. The malicious messages carried harmless-looking Microsoft Word documents that were set up to drop a first-stage payload, Backdoor.APT.Pgift (Troj/ReRol.A), by exploiting both old (CVE-2012-0158) and new (CVE-2014-1761) vulnerabilities affecting the Microsoft Office suite.
Once it infects a computer, the Trojan sends some information on the compromised device back to its command and control (C&C) server, after which it downloads the second-stage malware.
Backdoor.APT.PittyTiger1.3 (CT RAT) has also been used, most likely as a second-stage malware since it provides attackers with a remote shell on the compromised system. Backdoor.APT.PittyTiger is a piece of malware leveraged by the group in 2012 and 2013. The threat is capable of capturing screenshots, uploading and downloading files, and providing a remote shell. Backdoor.APT.Lurid, and variants of Gh0st RAT, including Paladin RAT and Leo RAT, have also been used by the Pitty Tiger group, FireEye reported.
References:
- Advanced Persistent Threats (APTs) – APT24
- “Pitty Tiger” Threat Actors Possibly Active Since 2008: FireEye
