Putter Panda Cyber Threat Intelligence Card

Report by Miguel Bigueur and Daniel Bradley

Executive Summary

Putter Panda is a criminal hacker organization based out of China that has been linked to numerous cyber espionage events against American and European governments and corporations. They are linked to China’s shadow army known as, Unit 61486 of the 12^th Bureau of the People’s Liberation Army’s 3^rd General Staff Department.

Putter Panda is accused of launching Advanced Persistent Threat (APT) style espionage campaigns against American and European based space and defense companies. The group’s primary motivation is economic advancement, and accelerating time to market for knock-off technologies^[1].

Crowdstrike, a security technology and services provider, conducted in-depth analysis on Putter Panda’s objectives and motivations concluding that China may be embarking on a strategic information gathering campaign that will be used for intelligence and military advancement along with information sharing within the corporate arena. Through various techniques, tactics and procedures, Putter Panda was able to install Remote Access Trojans (RATs) and other malware to establish command and control connections in order to steal unquantifiable amounts of intellectual property from the aerospace industry. The attacks were not overly sophisticated and as a result most of the attacks were conducted using readily available, off-the-shelf methods.

The adversary may feel a sense of Patriotism to advance their country’s technological foothold in the world. The findings present the primary threat actor as a person with a military or police background and he may feel a sense of duty to do what is right for the country. As the Crowdstrike analysis discovered, the adversary’s personal blog stated, “Soldier’s duty is to defend the country, as long as our country is safe, our military is excellent”.^[2] The adversary may have been motivated to enhance his government’s ability to create space based technologies to keep pace with those of world superpowers.

Tactics, Techniques, Procedures, and Tools

Tactics

It was discovered that many tactics used by Unit 61486 seem to be poor choices considering they are a group devised on avoiding detection. Unit 61486 operatives have been routinely documented logging into various social networking accounts, i.e. Gmail, Twitter, and Facebook, using the computers of their victims. The primary purpose of those logins were part of a bigger plan to send out spoofed e-mails baiting users into installing malicious software that would be subsequently used to breach new systems. This resulted in Mandiant inferring the existence of many online distinct personas.^[3] All of these risky tactics were used, in part, to sidestep strict Chinese censorship designed to completely block access to most western social networks like Facebook.

Techniques

A primary indicator of attack (IOA) or behavior of Putter Panda included phishing scams to the target. Employees clicked on malware embedded documents providing the attackers control over victims personal computers (PC). The attackers then used the PCs to take control of servers housing blueprints, customer lists, or other sensitive data^[4]. The easily accessible or ephemeral indicators of compromise utilized by the attacker included off-the-shelf exploits against vulnerabilities contained primarily within Adobe Reader and Microsoft Office which allowed IOA’s to provide unauthorized access to and exfiltration of the main objective, accelerated technologies of the western aerospace industry.

One major discovery, revealed through domain registration records, is the identity of one of the main threat actors, known as cpyy, who had registered the most significant number of C2 domains. Many sub-domains of these domains point to specific areas of interest for Putter Panda. There are distinct attributes relative to Putter Panda’s targeting objectives that include: aerospace companies, satellite and remote sensing technology, and Japanese and European aerospace companies, which leads to the conclusion that future intelligence gathering operations against targets of this nature are expected to continue well into the future.

Procedures

Quite often, the attackers did not take great care in obscuring their IP addresses that were used to compromise systems. As a result, the exposed IP addresses were regionally identified, which allowed security researchers to associate those specific IPs with Shanghai and the Pudong New Area. Oddly enough, those IPs could have easily been obfuscated using domain registration services, who don’t check for accuracy. Although the group did utilize tools to hide their IP addresses, they weren’t used regularly.

Many of the command and control tools used appear to be legitimate sites that have been compromised in some form or fashion. Shockingly, many of the domains used in these attacks have been registered by the operators themselves. This resulted in several of the actors inadvertently exposing their true identities via registering domains with known email addresses.

Several remote access trojans (RATs) were used in the Putter Panda attacks in addition to two different dropper programs, which are malware installers designed to carry viruses, trojans, backdoors, and other types of malicious software. These droppers utilized RC4 cryptographic stream ciphers to encrypt malicious payloads during transit and decryption prior to saving to local disk. Alternative delivery mechanisms included plain text Word documents that contained hidden executables and dynamic link libraries (DLLs), through the use of steganography, which were obfuscated by 16-byte XOR operations. The documents and executables that were written to disk would later be executed via ShellExecute APIs using the verb “open”. Finally, the droppers would delete themselves via batch files in an effort to conceal the attacker’s tracks.

Tools

PUTTER PANDA utilized distinctive TTPs to attack and gain access to targeted networks. A key indicator that a host system is compromised by Putter Panda malware is the discovery of A file mapping named &*SDKJfhksdf89*DIUKJDSF&*sdfsdf78sdfsdf.

The following are the primary tools used throughout attacks on unsuspecting victims^[5].

(4H RAT), remote access trojan that uses HTTP for command and control, obfuscates C2 communications using 1-byte XOR operations, can create remote shells, ability to obtain running process in addition to file and directory structures.
(3PARA RAT), remote access trojan that uses HTTP for command and control, obfuscates C2 communications using 8-byte XOR operations, can sleep for a preprogrammed amount of time.
(PNGDOWNER), a simple download and execute utility that uses HTTP for command and control, deletes C2 communications records, and has no persistence mechanisms.
(HTTPCLIENT), a simple download and execute utility that uses HTTP for its C2 channel, performs connectivity checks, performs HTTP GET requests with obfuscated 1-byte XORed communications returned from C2 sever.
Distinctive connectivity checks to google.com
Use of the HashData API to derive key material for authentication and encryption
Use of the ASEP registry key HKCU\Software\Microsoft\Windows\CurrentVersion\Run
Deployment of space industry-themed and Yoga decoy documents during malware installations
Utilized Remote Access Trojans to move data from compromised systems

The following table summarizes the TTP’s utilized by Putter Panda to exfiltrate data to accelerate China’s aerospace industry.

Reconnaissance	The adversary is associated with several blogs to learn about information technology (IT), networking and IT security. Several photos of satellite dishes and corporations were found on the adversary’s photo gallery indicating surveillance and interest in the industry.
Weaponization	● Much of the malware and RATs were programmed using C++ and Microsoft Visual Studio. ● RC4, a software based stream cipher, was used to decrypt the payload before writing it to disk and executing it.
Delivery	● Phishing scams were the primary method of delivery using fake advertising for Yoga sessions and invitations to satellite demonstrations. ● Use of the HashData API to derive key material for authentication and encryption Deployment of space industry-themed decoy documents during malware installations.
Exploitation	Adobe Reader and Microsoft Office vulnerabilities were exploited to execute embedded malware.
Installation	Droppers were used to install malware and remote access trojans. Fake documents were used to deliver executables which were written to disk and the ASEP registry key.
Command and Control	Remote Access Trojans were utilized for command and control through HTTP connections using GET and POST requests. The RATs allowed full control of victim systems and enabled additional tools to be deployed at will. The HTTP connections also extracted data from compromised systems.
Actions on Objectives	Putter Panda executed espionage campaigns to obtain unquantifiable stolen data from the aerospace organizations. This improves the country’s competitive edge, reduces research and development timelines and insight into strategy and vulnerabilities of the targeted organization.

Employing a sound defensive strategy mitigates many exploitable vulnerabilities and hinders attack operations conducted against the organization’s infrastructure. The following prioritized defensive measures are recommended to protect against attacks such as the Putter Panda espionage campaign.

Defensive Recommendations:

Training

The human factor has always played the role as the weakest link in any IT security strategy that even the most hardened networks cannot seem to defend against; therefore, it’s critical to implement regularly scheduled social engineering awareness training. Social engineering awareness education put employees at the forefront of any defense in depth program by making them the primary firewall to defend against social engineering attacks. Carefully detailed work goes into spear phishing campaigns and attackers know they have the upper hand when dealing with the “HUMAN ELEMENT” in network defense. Experienced criminal hackers are quite talented at exploiting vulnerabilities inherent within human nature.

During the initial stages of attack, footprinting and reconnaissance, criminal hackers have a few avenues they can pursue in order to gain critical information required for a successful incursion. Social engineering awareness education will help mitigate any of the following social engineering attacks:

Spear Phishing Emails and Phone calls.
Tailgating employees into secured facilities while wearing fake ID badges.
(Dumpster Diving) Improper disposal of sensitive documents.
Strategically planted, malware infected USB drives at targeted location.

Criminal hackers today also have easy access to searchable information freely available online to attack organizations, which is especially useful in social engineering attacks including:

IP Addresses of email and web servers.
Domain names (Hosts & Email).
Company contact info (Names, Emails and Phone numbers).
Types of systems to attack (OS type, CPU Type, Version #’s)
- Gathered through social networking and job posting sites such as: LinkedIn, Monster.com, Dice.com, Indeed.com, etc…)

In addition, email and web filtering software can be very useful at blocking malicious content by reducing the number of phishing emails employees receive, thus, reducing the negative impact against employee productivity.

Defense in Depth

It is highly recommended to implement a sound defense in depth strategy. The primary role of defense in depth strategies are not to prevent the attack but rather to slow down the progression of the attack just enough to allow network defenders to act. The benefit to this type of approach is the assemblage of actionable intelligence, which enables network defenders to mount an effective defense. The goal is to increase the difficulty level for the attacker by causing them to invest more time and money into the attack. It’s indicative of an effective defense in depth campaign when the victim’s network becomes a much less attractive target to an attacker over the course of time.

Intrusion Detection Systems

Intrusion detection systems can be used to detect a number of different attack types including buffer overflows, CGI attacks, SMB probes, and OS fingerprinting. Two types of intrusion detection systems are:

Network-Based Intrusion Detection Systems (NIDS)
- Black box placed on network in promiscuous mode listening for patterns indicative of an intrusion.
- Malicious activity detection including: DoS, port scans, or attempts to crack computers through network traffic monitoring.
Host-Based Intrusion Detection Systems (HIDS)
- Event auditing on specific hosts.
- Not common due to overhead incurred by hosts to accommodate monitoring processes.

System Integrity Verifiers

System Integrity Verifiers (SIV) detect changes in critical system components which help in detecting system intrusions. SIVs also compare snapshots of file systems with pre-existing baseline snapshots.

Multihomed Firewalling

Firewalls can be hardware or software designed to prevent unauthorized access, which are usually placed at the junction or gateway in-between two incongruent networks. Firewalls typically concern themselves with specific IOCs that include: IP address (source/destination), protocols, and port numbers. The preferred method of implementation is to use multihomed firewalls with two or more interfaces that further subdivide the network based on specific security end objectives as determined by the organization. Segmentation essentially limits the amount of damage an attacker can deliver to a private network. It is highly recommended to place next generation application firewalls at the perimeter of the network. There are pros and cons to each decision, for instance, next generation firewalls add additional costs while adding increased security.

Honeypot

A Honeypot, which is an information resource that is expressly set up to attract and trap attackers who try to gain unauthorized access into a private network, could be used to learn the motives and objectives of the attackers. Honeypots have no production value, no authorized activity, and as a result, any traffic destined to it would most likely be attacker’s traffic, i.e., probes, attacks, scans, or compromise. Numerous attack metrics can be collected from this type of system setup through attack traffic analysis, which consists, in part, of logged port access attempts and attacker keystroke monitoring. Information garnered from this setup could yield early warning signs of a more concerted attack.

Patch Management

Due to the aggressive nature of Putter Panda and ease of execution for the phishing campaign, the importance of deploying the most up-to-date machine patches is demonstrated. The defender must ensure systems and machines are up-to-date with the latest software and firmware patch. Regarding the Putter Panda attacks, Goodin states, “End users who opened the document on unpatched computers were then infected.”^[6]. Patch management enables a prioritized plan to ensure critical information systems are updated with the most current software to mitigate many exploitable vulnerabilities.

Understanding the baseline infrastructure enables the organization to defend against, detect and recover from attacks. Regularly occurring network scans provide a comparison of the baseline against any changes made between scans. Network scans may discover the file mapping named &*SDKJfhksdf89*DIUKJDSF&*sdfsdf78sdfsdf which indicates the victim machine is compromised with PUTTER PANDA malware.

Other methods of defense can include:

Bastion Host (Additional layer of defense designed to protect network resources):
1. Placed outside the private network in-between the firewall and Internet.
2. Has two interfaces: Public and Private
Screened Subnet (Demilitarized Zone or Additional Zone)
1. Firewalled zone in-between the Private network and Internet (creates buffer).
2. Responds to public requests and no hosts are accessed by private network.
3. Private Zones cannot be access by Internet