           Pitty Tiger Group




                            The Eye of the Tiger




        Credits:                     Ivan FONTARENSKY                           Malware Research
                                     Fabien PERIGAUD                            Reverse Engineering
                                     Ronan MOUCHOUX                             Threat Intelligence
                                     Cedric PERNET                              Threat Intelligence
                                     David BIZEUL                               Head of CSIRT




Public release
Threat Intelligence
                                           “The Eye of the Tiger”                                     Page : 1/58

                         Copyright © 2014 Airbus Defence & Space - All rights reserved
Operation Pitty Tiger – “The Eye of the Tiger”




    EXECUTIVE SUMMARY


                                Operation Pitty Tiger – “The Eye of the Tiger”


      Cyber espionage has been a hot topic through the last years. Computer attacks known as “APT”
      (Advanced Persistent Threat) have become widely reported and emphasized by the media,
      damages are now considered as real and strategic trends are moving in cyber defense.

      AIRBUS Defence & Space – CyberSecurity unit responds to such attacks for its customers every
      day, developing a complete range of solutions.

      Today, we decided to release publicly information on a specific group of APT attackers known as
      “Pitty Tiger”. This information comes directly from investigations led by our Threat Intelligence.

      Pitty Tiger is a group of attackers that have been active since at least 2011. They have targeted
      private companies in several sectors, such as defense and telecommunications, but also at least
      one government.

      We have been able to track down this group of attackers and can provide detailed information
      about them. We were able to collect and reveal their “malware arsenal”. We also analyzed their
      technical organization.

      Our investigations indicate that Pitty Tiger has not used any 0day vulnerability so far, rather they
      prefer using custom malware, developed for the group’s exclusive usage. Our discoveries
      indicate that Pitty Tiger is a group of attackers with the ability to stay under the radar, yet still not
      as mature as other groups of attackers we monitor.

      Pitty Tiger is probably not a state-sponsored group of attackers. They lack the experience and
      financial support that one would expect from state-sponsored attackers. We suppose this group
      is opportunistic and sells its services to probable competitors of their targets in the private sector.

      We have been able to leverage several attackers profiles, showing that the Pitty Tiger group is
      fairly small compared to other APT groups, which is probably why we saw them work on a very
      limited amount of targets.

      At the end of this report, we provide indicators of compromise to help people detect current Pitty
      Tiger attacks.




    Public release
    Threat Intelligence
                                                 “The Eye of the Tiger”                         Page : 2/58

                               Copyright © 2014 Airbus Defence & Space - All rights reserved
Operation Pitty Tiger – “The Eye of the Tiger”




    TABLE OF CONTENT
    EXECUTIVE SUMMARY ..................................................................................................... 2
    TABLE OF CONTENT......................................................................................................... 3
    MODUS OPERANDI: APT ATTACKS ................................................................................ 5
           Reconnaissance phase.......................................................................................................... 5
           Initial compromise .................................................................................................................. 6
           Access strengthening & lateral moves ................................................................................... 6
           Data exfiltration ...................................................................................................................... 7
    “PITTY TIGER” INVESTIGATION CONTEXT .................................................................... 8
    INFECTION METHODS....................................................................................................... 9
           Spear Phishing and weaponized documents ......................................................................... 9
           Direct attacks ....................................................................................................................... 10
    MALWARE INFORMATION .............................................................................................. 12
           Troj/ReRol.A ........................................................................................................................ 12
           PittyTiger RAT ..................................................................................................................... 16
           CT RAT................................................................................................................................ 19
           MM RAT (aka Troj/Goldsun-B) ............................................................................................. 23
           Paladin RAT ........................................................................................................................ 26
           Leo RAT .............................................................................................................................. 28
    INFRASTRUCTURE .......................................................................................................... 30
           Avstore.com.tw .................................................................................................................... 30
           Skypetm.com.tw .................................................................................................................. 32
           Common characteristics between the two domains ............................................................. 35
           Other domains linked with the Pitty Tiger group ................................................................... 36
    VICTIMS ............................................................................................................................ 39
    ATTACKERS ..................................................................................................................... 40
           Attacker’s connections to the c&c ........................................................................................ 40
           “TooT” .................................................................................................................................. 44
           “Cold & Snow”...................................................................................................................... 48
           Roles and organization ........................................................................................................ 48
           Attackers arsenal ................................................................................................................. 49
    ATTRIBUTION .................................................................................................................. 53
    CONCLUSION ................................................................................................................... 56
    INDICATORS .................................................................................................................... 57
           Domains .............................................................................................................................. 57
           Malware hashes................................................................................................................... 57
           Malware Strings ................................................................................................................... 58

    Public release
    Threat Intelligence
                                                               “The Eye of the Tiger”                                             Page : 3/58

                                         Copyright © 2014 Airbus Defence & Space - All rights reserved
Operation Pitty Tiger – “The Eye of the Tiger”




    Public release
    Threat Intelligence
                                              “The Eye of the Tiger”                        Page : 4/58

                            Copyright © 2014 Airbus Defence & Space - All rights reserved
Operation Pitty Tiger – “The Eye of the Tiger”




    MODUS OPERANDI: APT ATTACKS

    APT attacks follow what we call the “APT kill chain”. The kill chain describes briefly the way
    attackers do perform their actions.

    It can be summarized by the following scheme:




          RECONNAISSANCE PHASE

    The reconnaissance phase commences when an attacker selects a new target and involves the
    acquisition of information about that target.

    There is very little information available about this phase, and there is little data about it. The only
    way to collect information about this phase would be to already monitor all attackers’ actions at this
    step, which is hardly feasible.

    The longer the attackers spend time in attempting to understand their target and its online presence,
    the easier it will be to find efficient ways to penetrate that company’s systems.

    This reconnaissance phase is both about finding information to break into the targeted network
    successfully and about searching for data which could help to accelerate sensitive information
    isolation (like the name of a key employee for example).




    Public release
    Threat Intelligence
                                                “The Eye of the Tiger”                        Page : 5/58

                              Copyright © 2014 Airbus Defence & Space - All rights reserved
Operation Pitty Tiger – “The Eye of the Tiger”




    This phase mostly relies on open sources from the Internet: social networks, press releases, white
    papers, corporate websites, search engines, but also on some active tools like vulnerability
    scanners etc.



          INITIAL COMPROMISE

    At this stage, the APT attackers have a solid knowledge of their target and its key employees. The
    attackers have everything they need to start looking for an entry point to the company’s network and
    establish one or several permanent backdoors into the environment.

    The attackers mostly rely on two techniques here to infect one or several computers, usually
    workstations, inside the target’s network: spear phishing and drive-by downloads.

    Spear phishing can be described as targeted e-mail phishing. In a spear phishing scheme, attackers
    send very few e-mails to targeted people. In fact, they can even send just a single e-mail. The trick
    is to target the right victim and provide it with the right content, so that they will click on a link leading
    to drive-by download of a malware, or open an attached file which will infect their computer.

    Some groups of attackers also use “watering hole” techniques to successfully compromise their
    targets. To build a watering hole attack, attackers do compromise the website of a third party,
    generally a supplier of the target, which is typically visited by a specific group of professionals and
    very likely by the target. Every visitor of the compromised third party is then infected. The method
    has one major drawback: it will also infect third parties who visit the website. Attackers have
    developed ways to avoid this. If their reconnaissance phase has been done effectively, they already
    know all IP ranges used by the target company. It just takes a few lines of code in the infecting script
    to only compromise visitors coming from the target IP ranges.

    Direct attacks against servers of the target can also be a way to penetrate the target’s network.



          ACCESS STRENGTHENING & LATERAL MOVES

    Attackers have gained access to one or several machines inside the target’s corporate network.
    They need to install several different backdoors in order to be able to always access the network. In
    case one backdoor falls, there will be others.

    As soon as the attackers are sure they have enough access, they start looking for two things:
    intellectual property (or anything else they want to know or steal) in alignment with predefined
    mission objectives, and a means of privilege escalation to facilitate lateral movement within the
    compromised environment. It generally does not take long before the attackers gain domain
    administrator privileges and dump all the Active Directory content.

    They use lateral moves between machines inside the network, and look for everything they need.
    This step is very hard to detect, since they only use valid credentials and legitimate administration
    tools such as PsExec.




    Public release
    Threat Intelligence
                                                  “The Eye of the Tiger”                         Page : 6/58

                                Copyright © 2014 Airbus Defence & Space - All rights reserved
Operation Pitty Tiger – “The Eye of the Tiger”




            DATA EXFILTRATION

    Data exfiltration is the last step before the attackers loop to the lateral moves step, in a never-ending
    circle of prolonged access and information theft.

    They generally create archive files containing the content they want to exfiltrate, which are then sent
    to the attackers by using a remote administration tool (RAT) or transfer protocols such as FTP and
    HTTP.

    This phase is not the end of an APT attack. The attackers loop to the access strengthening/lateral
    moves stage and generally keep stealing more information and stay inside the network for more
    data gathering.

    For more information about all the APT phases, please refer to our APT Kill Chain blog post serie1.




    1
        http://blog.cassidiancybersecurity.com/tag/APT
    Public release
    Threat Intelligence
                                                 “The Eye of the Tiger”                        Page : 7/58

                               Copyright © 2014 Airbus Defence & Space - All rights reserved
Operation Pitty Tiger – “The Eye of the Tiger”




    “PITTY TIGER” INVESTIGATION CONTEXT
    During our regular investigations on APT cases, one particular variant of malware caught our
    attention, because we had not faced it before. We decided to spend some time to investigate around
    this malware and found out that it was used exclusively by a single group of attackers. This malware
    family is known as “PittyTiger” by the anti-virus research community.

    We discovered this malware sample in June 2014, leading to a command & control (c&c) server still
    in activity.

    Our researches around this particular malware family revealed the “Pitty Tiger” group has been
    active since 2011, yet we found other publications1 which could probably be attributed to the same
    group of attacker back in 20102.

    This group uses other malware and tools during their APT operations, in addition to the PittyTiger
    RAT.

    A variant of the infamous Gh0st RAT dubbed “Paladin” has been used repeatedly by the PT group,
    together with other RATs which seem to be developed exclusively for the PT group: “MM RAT” (aka
    Troj/Goldsun-B), and “CT RAT”. Another variant of Gh0st RAT named “Leo” has been found inactive
    on a c&c server.

    We also found another malware, named “Troj/ReRol.A”. This one is also used by the group to infect
    workstations, collect system information, and install more malware on the infected computer. It acts
    as a first stage downloader and system data collector often used in the initial compromise of the
    Pitty Tiger campaigns, generally embedded in Microsoft Office documents.

    Thanks to server’s misconfigurations, we managed to get information from three c&c servers used
    by this group of attackers, which provided us with insight from the end of 2013 to the beginning of
    July 2014.

    Our investigation has been focused on the data we could get from these c&c servers but also on the
    Pitty Tiger environment.

    This whitepaper aims to expose the view we have on the group, especially on their infrastructure
    and capabilities. We hope this publication will bring further counter analysis from the research
    community to enrich the global common threat knowledge.




    1
     http://nakedsecurity.sophos.com/2012/08/03/poisoned-doc-targeted-malware-attack/
    2
     http://nakedsecurity.sophos.com/2010/06/24/targeted-trident-cyberattack-defence-company/
    Public release
    Threat Intelligence
                                                “The Eye of the Tiger”                        Page : 8/58

                              Copyright © 2014 Airbus Defence & Space - All rights reserved
Operation Pitty Tiger – “The Eye of the Tiger”




    INFECTION METHODS

          SPEAR PHISHING AND WEAPONIZED DOCUMENTS

    Pitty Tiger, like most other APT groups, use spear phishing e-mails extensively in order to gain an
    initial foothold within the targeted environment.

    We have been able to find a spear phishing e-mail crafted by the attackers. This e-mail spoofed the
    identity of an employee of a targeted company:


    From: XXXXXXX
    To: XXXXXXX
    File: 1 Attachment: Bird’s Eye Point of View.doc


    While the holiday season means clustering clustering ‘time for a
    vacation’ for many, there are Those That Will Be of us staying home this
    year. That’s why we’ve Decided to take you on a trip around the world
    from a bird’s eye view of the item! It’s safe to say That MOST of the
    lucky people on vacation Will not see breathtaking sights like these.
    Remember to look down!


    XXXXXX


    The attached file is a Microsoft Office Word document triggering CVE-2014-1761 to infect the
    computer it is sent to:




                          Word document used to infect computers with Troj/ReRol.A

    Public release
    Threat Intelligence
                                                “The Eye of the Tiger”                        Page : 9/58

                              Copyright © 2014 Airbus Defence & Space - All rights reserved
Operation Pitty Tiger – “The Eye of the Tiger”




    While this example looks very “amateur” for a spear phishing attempt, we suppose the group has
    conducted more advanced spear phishing campaigns, based on the fact that we found infected
    Word documents showing content stolen from victims of the group. These documents were infecting
    the system with Troj/ReRol.A malware, which we will detail later in this report.

    This could mean that the Pitty Tiger group is using stolen material as spear phishing content either
    to target other persons in the compromised company, or to target other persons in a competitor’s
    company, or more generally to compromise another target.

    Pitty Tiger also seem to use fake Microsoft Office Excel content, yet we could only find empty
    content delivering once again the Troj/ReRol.A malware.



            DIRECT ATTACKS
    Although we have not been able to find evidences of any attack aimed at exploiting vulnerabilities on
    the group’s targets servers, we have been able to record several vulnerability scanning launched
    from one c&c server straight to the targets.

    The attackers have been using different vulnerability scanners aimed at their targets. While some
    targets have been scanned with “generic” vulnerability scanning tools like HScan or Fluxay and port
    scanners like Nmap, some other targets have been scanned for very specific vulnerabilities, like a
    ZyWALL vulnerability or a FORTINET product.

    We have also been able to testify that the Pitty Tiger group has successfully collected information on
    some of their targets by exploiting the HeartBleed1 bug. This vulnerability which exists on some old
    versions of OpenSSL allows attackers to collect data from chunks of memory from the targeted
    machine. It allowed the Pitty Tiger group to get admin credentials from at least one target, for
    example.




                      Memory data leak from one server – Heartbleed exploit on one of PittyTiger’s targets




    1
        http://heartbleed.com/
    Public release
    Threat Intelligence
                                                    “The Eye of the Tiger”                                   Page : 10/58

                                  Copyright © 2014 Airbus Defence & Space - All rights reserved
Operation Pitty Tiger – “The Eye of the Tiger”




    Running automated vulnerability scanners on whole ranges of IP addresses used by the targets or
    on several domains is a very noisy way to collect information and find server vulnerabilities. We
    would advocate that this method is unwise when you want to stay furtive, and doing it from a c&c
    server is very surprising, to say the least. While the Pitty Tiger group is experienced on some
    aspects on its running APT campaigns, it definitely lacks some maturity here.




    Public release
    Threat Intelligence
                                              “The Eye of the Tiger”                        Page : 11/58

                            Copyright © 2014 Airbus Defence & Space - All rights reserved
Operation Pitty Tiger – “The Eye of the Tiger”




    MALWARE INFORMATION

          TROJ/REROL.A
    One of the favorite methods used by the Pitty Tiger group to infect users is to use a Microsoft Office
    Word document which exploits a specific vulnerability.

    The payload infecting the system is malware known as “Troj/ReRol.A”. It is generally the first step of
    the initial compromise for Pitty Tiger campaigns.

    Exploitation

    We have been able to find one such document1 used by that group of attacker, exploiting CVE-
    2012-0158, an old critical vulnerability impacting Microsoft Office and corrected by Microsoft’s
    MS12-027 fix in April 2012. This vulnerability affects Microsoft Office versions up to Office 2010. We
    also found one RTF document embedding CVE-2014-1761, which is a more recent exploit.

    We discovered several different documents spreading this malware by triggering CVE-2012-0158
    vulnerability, yet we could not share them in this report, since these documents contain information
    about victims of the Pitty Tiger group.

    The discovery of this “old” vulnerability exploitation in June 2014 could mean that the Pitty Tiger
    group has no direct access to 0day exploits, or not enough budgets to buy some. It could also mean
    they use their low range exploit by default because it is working on their targets and is sufficient to
    compromise their workstations.

    The Word document we initially found was probably a “test” document used by the group. When
    opened, it shows a single line written in Chinese language, which can be translated as “Hello!”




                          Microsoft Office Word decoy “test document” used by the Pitty Tiger group

    Installation

    When successfully triggered, the exploit infects the host by dropping and executing a file named
    “svohost.exe”2 in the temporary folder of the currently logged-in user:


    1
     MD5 hash: e70c0479cdb9aa031a263740365e7939
    2
     MD5 hash: 1752aacc08ee0acd58405e9bc10b0dbb
    Public release
    Threat Intelligence
                                                   “The Eye of the Tiger”                             Page : 12/58

                                 Copyright © 2014 Airbus Defence & Space - All rights reserved
Operation Pitty Tiger – “The Eye of the Tiger”




                      C:\DOCUME~1\USER\LOCALS~1\Temp\svohost.exe


    This binary is “Troj/ReRol.A” according to Sophos naming convention1. It immediately triggers
    alarms on our sandbox:




                            Alarms in our sandbox system, triggered by the Troj/ReRol.A malware



    The binary drops a copy of itself in the Application Data folder of the currently logged-in user:




                          Creation of a copy of the Pitty Tiger malware in a user folder in our sandbox



    The malware initiates a communication to time.windows.com to check for connectivity, and then
    communicates with the c&c server at mac.avstore.com.tw.




    1
     http://www.sophos.com/en-us/threat-center/threat-analyses/viruses-and-spyware/Troj~Rerol-
       A/detailed-analysis.aspx
    Public release
    Threat Intelligence
                                                    “The Eye of the Tiger”                                Page : 13/58

                                  Copyright © 2014 Airbus Defence & Space - All rights reserved
Operation Pitty Tiger – “The Eye of the Tiger”




                Beginning of an encrypted communication between the Troj/ReRol.A malware and its c&c server



    Very few variants of Troj/ReRol.A are public. The variants we have seen did use that same User-
    Agent:

                      Mozilla/4.0 (compatible;)


    The persistence mechanism used by the malware is the creation of a registry key named “Shell”
    containing the path to the malware on the infected system:

              Key Path: \REGISTRY\USER\<SID>\Software\Microsoft\Windows
              NT\CurrentVersion\Winlogon
              Value Name : Shell
              Value : explorer.exe,C:\DOCUME~1\XXXXXX\APPLIC~1\svohost.exe,


    The payload of this malware is used to collect information on the newly infected host, and send it
    back to the c&c server. It can also download and execute binaries.

    Command & Control

    The data sent in the POST request has a 0x11 bytes header consisting of a fixed-value byte (0xc3)
    followed by a 0x10 bytes encryption key. The data following the header is encrypted using RC4 with
    the previous key. Once the data is deciphered, the last byte of the clear text should also be 0xc3.

    We have been able to decrypt the communications and confirmed what is transmitted to the c&c
    server.

    Public release
    Threat Intelligence
                                                   “The Eye of the Tiger”                            Page : 14/58

                                 Copyright © 2014 Airbus Defence & Space - All rights reserved
Operation Pitty Tiger – “The Eye of the Tiger”




    Here is an anonymized sample of communication showing information collected by the malware:

              HostName :xxx
              UserName :xxx
              SysType :32bit

              Windows 7 Enterprise Service Pack 1 6.1 7601
              Organization:
              Owner:xxx

              --------------Server Info-------------------
              - AdobeARMservice
              - Adobe Acrobat Update Service
              - AeLookupSvc
              - Application Experience
              - AudioEndpointBuilder
              - … (list goes on)

              --------------Soft Info-------------------
                     1   Adobe AIR 4.0.0.1390
                     2   Adobe Shockwave Player 12.0 12.0.9.149
                     3   FileZilla Client 3.7.4.1 3.7.4.1
                     4   Mozilla Thunderbird 24.3.0 (x86 en-US) 24.3.0
                     5   … (list goes on)


              --------------IP Config-------------------
              Adapt Type: Ethernet
              NetCardNum:       11
              NetCard Name:     {XXX-XXXX-XXXX-XXXX-XXXXXXXXXXXX}
              Description :     Realtek RTL8139C+ Fast Ethernet NIC
              MAC-ADDR:         XX-XX-XX-XX-XX-XXX
              IP-Addr:          10.xxx.xxx.xxx
              IP-Mask:          255.255.255.0
              GateWay:          10.xxx.xxx.xxx
              DHCP Serv:        1
              DHCP Host:        10.xxx.xxx.xxx
              WINS Serv:        0
              WINS PriHost:
              WINS SecHost:

                                 Sample information collected by Troj/ReRol.A malware


    This information is very useful for an attacker: it shows all software installed on the system, and
    running services.

    Once this data has been transferred to the c&c server, it responds by sending additional malware to
    execute on the machine.

    The c&c part consists of two files:
       - dr.asp: an ASP frontend instantiating a control, setting some variables, and passing the
          payload.
       - JHttpSrv.dll: a controller which should be registered via “regsvr32”. It exposes 4 methods
          which can be called by the ASP script:
              o SetIP(strIP): sets the bot IP address
              o AddKeyword(strKeyword, strFilePath): binds a keyword to a binary on the server
              o Work(lpByteArray, nDataLength): deciphers the payload, looks for the registered
                  keywords, and writes it to a logfile
              o ResponseBinary(): sends back the binary matching a specific a keyword



    Public release
    Threat Intelligence
                                                 “The Eye of the Tiger”                        Page : 15/58

                               Copyright © 2014 Airbus Defence & Space - All rights reserved
Operation Pitty Tiger – “The Eye of the Tiger”




    The dr.asp registers the following keywords:
       - “SysType :32bit” to the binary “32.exe”
       - “SysType :64bit” to the binary “64.exe”

    These two binaries were no longer available on the server. However, we found various files which
    could have been used as “32.exe” in the past:
       - 3200.exe
       - 322.exe
       - 32m.exe
       - 32mm.exe

    The 322.exe file is a legitimate, Chinese, calc.exe tool. It might have been used by the attackers to
    perform tests.

    The 3 others binaries are RATs, which will be detailed in the next parts.



           PITTYTIGER RAT

    This RAT is the origin of the attackers’ group name. “PittyTiger” is a mutex used by the malware.
    “Pitty Tiger” is also a string transmitted in the network communications of the RAT, as you will see in
    this chapter.

    Installation

    The malware1, when running in our sandbox, triggers the following alarms:




                           Alarms in our sandbox system, triggered by the PittyTiger malware



    The binary drops two files in “C:\Windows\System32”:



    1
        MD5 hash : be18418cafdb9f86303f7e419a389cc9
    Public release
    Threat Intelligence
                                                “The Eye of the Tiger”                         Page : 16/58

                              Copyright © 2014 Airbus Defence & Space - All rights reserved
Operation Pitty Tiger – “The Eye of the Tiger”




                                 Files dropped by the PittyTiger RAT in our sandbox

    The “qmgrxp.exe” binary is a simple copy of the original binary. It drops the “packet64.dll”, and
    injects it in “explorer.exe”. When executed, a mutex called “PittyTiger” is created.

    Persistence is achieved by adding the path to the binary to the WinlogonUserInit key:

              Key Path: \REGISTRY\USER\<SID>\Software\Microsoft\Windows
              NT\CurrentVersion\Winlogon
              Value Name: UserInit
              Value: C:\WINDOWS\system32\userinit.exe,C:\WINDOWS\system32\qmgrxp.exe,


    The “packet64.dll” is the main payload of the RAT. After being injected, it starts sending its Hello
    packet to its c&c server:




                                     Sample communication from PittyTiger RAT




    Public release
    Threat Intelligence
                                               “The Eye of the Tiger”                        Page : 17/58

                             Copyright © 2014 Airbus Defence & Space - All rights reserved
Operation Pitty Tiger – “The Eye of the Tiger”




    Command & Control

    All the requests sent to the c&c contains the string “/FC001/” followed by the bot id. This id consists
    of the infected computer name followed by a dash and the lower word of the disk serial id.

    The data sent is simply encoded using base64, there is no cipher at all. The hello packet, once
    decoded, looks like the following:

                 --------------------------PittyTigerV1.0                           ---------------------
                 --------------                           ^ ^            ----------------------------
                 --------------                             ^            ----------------------------
                 Version:NULL


    Our sample had 3 c&c servers configured:
       - jackyandy.avstore.com.tw:80
       - chanxe.avstore.com.tw:443
       - newb02.skypetm.com.tw:80

    The following commands are implemented:
       - File Download (get) and Upload (put)
       - Screen Capture 8bit (prtsc) and 16bit (prtsc2)
       - Remote Shell (ocmd/ccmd)
       - Configuration update (setserv/freshserv)
       - Direct command execution

    Regarding the controller part, we found two different versions:
       - A Delphi binary handling PittyTiger connections only
       - A .NET binary handling both PittyTiger and CT connections

    The interface handling both Pitty TIGER and CT connections is very interesting. We have been able
    to confirm that the author of those two families of malware is the same person, as will be seen in the
    next chapter about “CT RAT”.




                                            Pitty Tiger RAT – controller part




    Public release
    Threat Intelligence
                                                “The Eye of the Tiger”                           Page : 18/58

                              Copyright © 2014 Airbus Defence & Space - All rights reserved
Operation Pitty Tiger – “The Eye of the Tiger”




           CT RAT

    This remote administration tool is often used by the Pitty Tiger group. We have been able to acquire
    both the client and the server parts.

    We found two instances of the same binary with different names – 32mm.exe and mm32.exe1.

    This RAT seems to be an evolution of PittyTiger, since a specific server binary we found could
    handle both requests from CT and PittyTiger, and was indicated as compatible with PittyTiger.
    Moreover, the same commands are implemented in both RATs.

    Installation

    Unsurprisingly, when running in our sandbox, the RAT triggers the same alarms as PittyTiger:




                                Alarms in our sandbox system, triggered by the CT RAT



    The binary drops two files in “C:\Program Files\Internet Explorer”:




    1
        MD5 hash: f65dc0b3eeb3c393e89ab49a3fac95a8
    Public release
    Threat Intelligence
                                                “The Eye of the Tiger”                        Page : 19/58

                              Copyright © 2014 Airbus Defence & Space - All rights reserved
Operation Pitty Tiger – “The Eye of the Tiger”




                                      Files dropped by the CT RAT in our sandbox

    The “ieupdate.exe” is a simple binary to inject the DLL into “explorer.exe”.

    Persistence is achieved via the following registry key:

              Key Path: \REGISTRY\USER\<SID>\Software\Microsoft\Windows
              NT\CurrentVersion\Windows
              Value Name: load
              Value: c:\PROGRA~1\INTERN~1\ieupdate.exe


    After injection, the RAT sends a first login packet to its c&c:




                             Encrypted communication from a machine infected with CT RAT

    Command & Control

    The RAT communication is performed through HTTP requests. The data is sent encrypted with
    RC4, and base64-encoded. The RC4 key is the Unicode form of the requested URL.

    Public release
    Threat Intelligence
                                                 “The Eye of the Tiger”                        Page : 20/58

                               Copyright © 2014 Airbus Defence & Space - All rights reserved
Operation Pitty Tiger – “The Eye of the Tiger”




    The Login packet contains the following string, after decoding and deciphering:

               Login
               ->C:PC-XXX
               ->U:User-XXX
               ->L:10.10.10.1
               ->S:Microsoft Windows XP Service Pack 3 5.1 2600
               ->M:Nov 13 2013
               ->P:1033


    It contains the computer name, the user name, the internal IP address, the OS version, the RAT
    internal version and the Language ID of the system.

    The RAT can then receive commands from its c&c. Usual RAT features are implemented:
       - File Download (GET) and Upload (PUT)
       - Remote shell (ocmd/ccmd)
       - Configuration update (cfg)
       - Sleep (sleep)

    Version and author(s)

    Regarding the configuration, our sample communicates with “sop.avstore.com.tw”, and contains the
    string “Nov 13 2013”, which should be a version identifier.

    The c&c part is a Windows binary written in .NET. We found 2 versions:
       - Version 2013.10: CT only controller
       - Version 2013.12: CT and PittyTiger controller

    The About form gives the name of the developer(s):




    Public release
    Threat Intelligence
                                                “The Eye of the Tiger”                        Page : 21/58

                              Copyright © 2014 Airbus Defence & Space - All rights reserved
Operation Pitty Tiger – “The Eye of the Tiger”




                                CT controller in action with a testing machine of ours

    The version of the controller which can handle both PittyTiger and CT shows the same author(s):




                                                CT/PittyTiger controller




    Public release
    Threat Intelligence
                                               “The Eye of the Tiger”                        Page : 22/58

                             Copyright © 2014 Airbus Defence & Space - All rights reserved
Operation Pitty Tiger – “The Eye of the Tiger”




    As these screenshots show, the switch between PittyTiger and CT was probably in the last semester
    of 2013.

    The text can be translated, thanks to Google Translate, as:

                 CT console (compatible pittytiger) v1.3
                 2013.12 by Trees and snow


    Further discussion about this author is provided in subsequent sections.


           MM RAT (AKA TROJ/GOLDSUN-B)

    We named this malware “MM RAT” at the beginning of our investigation, before we found an
    existing name for it, “Troj/Goldsun-B” according to Sophos. This is another remote administration
    tool often used by the Pitty Tiger crew. We have been able to acquire both a client and server part
    for it.

    Installation

    The binary we found is named 3200.exe1, and triggers the following alarms in our sandbox:




                          Alarms in our sandbox system, triggered by the Troj/Goldsun-B malware

    The “release.tmp” file is dropped on the system:




    1
        MD5 hash: 728d6d3c98b17de3261eaf76b9c3eb7a
    Public release
    Threat Intelligence
                                                 “The Eye of the Tiger”                           Page : 23/58

                               Copyright © 2014 Airbus Defence & Space - All rights reserved
Operation Pitty Tiger – “The Eye of the Tiger”




                                      File dropped by the malware in our sandbox

    The binary is also copied to the user’s “Application Data” directory, and injects the “release.tmp” file
    in “explorer.exe”.

    Persistence is achieved by adding the path to the binary to the Winlogon Shell key:

                 Key Path: \REGISTRY\USER\<SID>\Software\Microsoft\Windows
                 NT\CurrentVersion\Winlogon
                 Value Name: Shell
                 Value: explorer.exe,C:\DOCUME~1\<UserName>\APPLIC~1\<binary name>,


    The RAT embeds its own DNS server IP addresses to make the c&c domain names resolutions.
    These addresses are listed below:

        -   63.251.83.36
        -   64.74.96.242
        -   69.251.142.1
        -   212.118.243.118
        -   216.52.184.230
        -   61.145.112.78
        -   218.16.121.32

    Command & Control

    It starts resolving its domains after injection, and immediately sends requests. First requests are
    used to check for updates (GET request on /httpdocs/update/update.ini). A Hello packet is then sent:




    Public release
    Threat Intelligence
                                                “The Eye of the Tiger”                        Page : 24/58

                              Copyright © 2014 Airbus Defence & Space - All rights reserved
Operation Pitty Tiger – “The Eye of the Tiger”




                                 Hello packet sent by Troj/Goldsun-B to its c&c server

    The bot then repeatedly sends GET requests on “/httpdocs/mm/<bot_id>/ComMand.sec” to retrieve
    remote commands.
    The communication protocol is quite simple: GET requests are used to receive data from the c&c,
    and POST requests to send data. In POST commands, the CGI name represents the command.

    The following features are implemented:
       - c&c authentication using password
       - Remote shell
       - Remote commands
       - File Download / Upload / Deletion / Search
       - Bot termination

    The following CGI files can be requested by the bot:
       - Vip: test for connectivity
       - Owpp4: register new bot
       - CReply: answer to remote commands
       - Clrf: clear remote file (to clear ComMand.sec after reading)
       - CFile: transmit file (file transfers or answers to commands)
       - Cerr: send error

    The configuration is stored locally in a file called “schmup.sys”. The file is ciphered using RC4, using
    the MD5 hash of “rEdstArs” as the key.

    Our sample uses “mca.avstore.com.tw”, “star.yamn.net” and “bz.kimoo.com.tw” as c&c servers. It
    contains the “1.6.0” version number, and uses the password “9ol.8ik,” to authenticate with the bots.

    Unlike others c&c binaries, the c&c part of this RAT does not have a graphical interface, but can be
    remotely requested to manage the bots. Furthermore, no authentication is required to send
    commands to the c&c (but you need to know the configured password to interact with the bots).

    The management protocol is the same as the bots protocol, with different CGI files:
       - Shutdown: shutdown the c&c
       - Cnor: add a new command for a bot (writes it in “ComMand.sec”)
       - Mlist: get the list of bots
       - Mlist2: write the list of bots to the file “Online.dat”


    Public release
    Threat Intelligence
                                                “The Eye of the Tiger”                        Page : 25/58

                              Copyright © 2014 Airbus Defence & Space - All rights reserved
Operation Pitty Tiger – “The Eye of the Tiger”




    The bots’ answers to remote commands can be retrieved by requesting the “Reply.sec” file (e.g.
    GET /httpdocs/mm/<bot_id>/Reply.sec)

    Network patterns

    These network patterns might ring bells in some researcher’s minds. The network communication
    used by this binary are the same as those used by the Enfal malware, which has been used in the
    past by the Lurid group (APT attackers) and by other threat actors in China1.

    An examination of the code did not reveal code similarities with the Enfal malware. We do not
    currently know why this malware uses the same patterns to communicate.


            PALADIN RAT

    This is another remote administration tool used by the Pitty Tiger group. We have been able to get
    both a client and server part of it.

    Installation

    The binary we found was dropped by a malicious Word document. The following alarms are
    triggered in the sandbox:




                               Alarms in our sandbox system, triggered by the Paladin RAT

    The shellcode contained in the Word file drops the following file, and executes it:
       - C:\Documents and Settings\<User>\Local Settings\Temp\svohost.exe2

    This one drops in turn the following file:




    1
        http://la.trendmicro.com/media/misc/lurid-downloader-enfal-report-en.pdf
    2
        MD5 hash: 0567fd7484efbae502cac279d32ed518
    Public release
    Threat Intelligence
                                                  “The Eye of the Tiger”                        Page : 26/58

                                Copyright © 2014 Airbus Defence & Space - All rights reserved
Operation Pitty Tiger – “The Eye of the Tiger”




                                      File dropped by the malware in our sandbox

    This tmp file is then copied to “C:\Windows\system32\Nwsapagentex.dll” and registered as a service
    called “Nwsapagent”.

    This malware is a variant of the infamous Gh0st RAT1. Our specific sample uses “ssss0” instead of
    the usual “Gh0st” header for network communications.

    Command & Control

    The commands ID used in the communication protocol have also changed, but the features are
    quite the same.

    The configuration is directly embedded in the binary, and deciphered at runtime. Up to 5 c&c servers
    can be configured, but our sample only had one: “ey.avstore.com.tw:53”.

    “EY” could stand for “Ernst & Young”. It would not be very surprising, since a lot of different attack
    groups do use anti-virus vendors or other big company’s names to try to look more legitimate. Pitty
    Tiger is no exception, as detailed later in this report.

    We also found two c&c binaries, claiming to be versions 2.1 and 2.2 of the Paladin RAT controller.
    Version 2.1 answers to the “ssss0” header, while version 2.2 uses the classical “Gh0st” header.




                               Paladin controller used with one of our testing machines



    1
     http://www.mcafee.com/sg/resources/white-papers/foundstone/wp-know-your-digital-enemy.pdf
    Public release
    Threat Intelligence
                                                “The Eye of the Tiger”                        Page : 27/58

                              Copyright © 2014 Airbus Defence & Space - All rights reserved
Operation Pitty Tiger – “The Eye of the Tiger”




                          Paladin has multiple features: file transfer, screenshot, command shell …



          LEO RAT
    Additionally to the Paladin RAT, we found another variant of Gh0st RAT, named “Leo”. Although we
    have found it on a c&c server of the group, there is no evidence that is has been used by the group,
    in opposition to Paladin which is used often by Pitty Tiger.

    Moreover, the built malware we found in the same folder was configured to connect to a local IP
    address, probably for testing purposes.




    Public release
    Threat Intelligence
                                                  “The Eye of the Tiger”                              Page : 28/58

                                Copyright © 2014 Airbus Defence & Space - All rights reserved
Operation Pitty Tiger – “The Eye of the Tiger”




                            Leo malware controller screenshot – a variant of Gh0st RAT




    Public release
    Threat Intelligence
                                              “The Eye of the Tiger”                        Page : 29/58

                            Copyright © 2014 Airbus Defence & Space - All rights reserved
Operation Pitty Tiger – “The Eye of the Tiger”




    INFRASTRUCTURE
    Our investigation has focused on three particular c&c servers used by the group. These c&c servers,
    unlike the other c&cs used by the group, have been misconfigured. Once parsed and dumped, it
    provided us with more insight.

    We found several domains used by the Pitty Tiger group, the most interesting ones being detailed in
    this chapter.

    Pitty Tiger, like other APT attackers, often use anti-virus “familiar names” when registering domains
    or creating subdomains. Some examples can be avstore.com.tw, sophos.skypetm.com.tw,
    symantecs.com.tw, trendmicro.org.tw etc.


            AVSTORE.COM.TW

        WHOIS Data

    The     registration   information   for    this   domain       has    been      the    same   since   2013-06-04:

                 Domain Name: avstore.com.tw
                    Registrant:
                 information of network company
                 longsa longsa33@yahoo.com
                       +86.88885918

                       No.520.spring road.shenyang
                 shanghai, shanghai
                       CN

    This information has been used to register another domain, skypetm.com.tw, which has also been
    used by the Pitty Tiger group.

        Malware families

    Our research also led us to the discovery of four different malware families connected to
    subdomains of avstore.com.tw:

        -    PittyTiger RAT (aka Backdoor:Win32/Ptiger.A)
        -    Troj/ReRol.A
        -    CT RAT
        -    Paladin RAT (variant of Gh0st RAT)




    MD5                                        Family                                   C&C

    Public release
    Threat Intelligence
                                                  “The Eye of the Tiger”                               Page : 30/58

                                Copyright © 2014 Airbus Defence & Space - All rights reserved
Operation Pitty Tiger – “The Eye of the Tiger”




    0d3b3b422044759b4a08a7ad8afe55c7                     Paladin dropper                     ey.avstore.com.tw
    75cf4f853f0f350fac9be87371f15c8d             Exploit:Win32/CVE-2012-2539                mac.avstore.com.tw
    b6380439ff9ed0c6d45759da0f3b05b8                 Troj/ReRol.A dropper                   sop.avstore.com.tw
    5e2360a8c4a0cce1ae22919d8bff49fd                      Troj/ReRol.A
    f65dc0b3eeb3c393e89ab49a3fac95a8
    e7dc3bbe8b38b7ee0e797a0e27635cfa                           CT RAT
    4ce8593c9de2b27b5c389f651c81638b                                                       chanxe.avstore.com.tw
                                                                                         jackyandy.avstore.com.tw
    8df89df484ca5c376b763479ea08d036                         PALADIN
    be18418cafdb9f86303f7e419a389cc9                      Pitty Tiger RAT                jackyandy.avstore.com.tw
                                        MD5 hashes of files linked to avstore.com.tw




                      Links between malware samples, malware families, and avstore.com.tw subdomains




    Public release
    Threat Intelligence
                                                   “The Eye of the Tiger”                               Page : 31/58

                                 Copyright © 2014 Airbus Defence & Space - All rights reserved
Operation Pitty Tiger – “The Eye of the Tiger”




         C&C servers and IP addresses


    Hosting company             Geolocation        IP Range            IP Address         Host                       Time space


    HongkongDingfengxinhuiBgp   Kowloon, Hong      122.10.0.0 –        122.10.48.189      chanxe.avstore.com.tw      Actually in use
    Datacenter                  Kong               122.10.63.255
                                                                                          jackyandy.avstore.com.tw

    Hurricane Electric Inc      Fremont, USA       66.220.0.0 –        66.220.4.100       mac.avstore.com.tw         Actually in use
                                                   66.220.31.255
                                                                                          sop.avstore.com.tw

                                                                                          ey.avstore.com.tw

    New World Telephone LTD     Hong Kong City,    58.64.175.0 –       58.64.175.191      jackyandy.avstore.com.tw   Dec. 2013
                                Hong Kong          58.64.175.255




                                        Avstore.com.tw infrastructure: hosting and subdomains


             SKYPETM.COM.TW

       WHOIS Data
    This domain has shown two different WHOIS entries through time:



    Public release
    Threat Intelligence
                                                       “The Eye of the Tiger”                                     Page : 32/58

                                     Copyright © 2014 Airbus Defence & Space - All rights reserved
Operation Pitty Tiger – “The Eye of the Tiger”




        -    From 2011-12-29 to 2013-01-02 :

            Registrant :chenzhizhong
            Email : hurricane_huang@163.com
            Telephone : +86.2426836910

        -    From 2013-11-21 until today :

            Registrant : long sa
            Email : longsa33@yahoo.com
            Telephone : +86.88885918

    The most recent registration information is also used for avstore.com.tw.

        Malware families

    Six malware families have been identified as communicating with subdomains of skypetm.com.tw:

        -    MM RAT
        -    Pitty Tiger RAT
        -    Troj/ReRol.A
        -    CT RAT
        -    Paladin
        -    Exadog

                     MD5                                     Malware family                          C&C server
    81fa811f56247c236566d430ae4798eb                            MM RAT                          ms11.skypetm.com.tw
    55e456339936a56c73a7883ea1ddb672                     Backdoor:Win32/Ptiger.A               botemail.skypetm.com.tw
    d5da60d678d5a55a847e1e6723c7a4d0                     Backdoor:Win32/Ptiger.A                 aniu.skypetm.com.tw
    0750569cf1733d4fbb01169476387cc2                     Backdoor:Win32/Ptiger.A                 aniu.skypetm.com.tw
                                                                                                zeng.skypetm.com.tw
    abb0abfab252e4bfb9106273df3c1c2                      Backdoor:Win32/Ptiger.A                 aniu.skypetm.com.tw
                                                                                                zeng.skypetm.com.tw
    c0656b66b9f4180e59e1fd2f9f1a85f2                           Troj/Rerol.A                     zeng.skypetm.com.tw
    ce15fa3338b7fe780e85c511d5e49a98                           Troj/Rerol.A                     zeng.skypetm.com.tw
    8a54adb3976d1c03605656ca55be7400                     Backdoor:Win32/Ptiger.A                super.skypetm.com.tw
    a1ea6dc12b983c7262fe76c1b3663b24                     Backdoor:Win32/Ptiger.A                qinoo.skypetm.com.tw
    b6380439ff9ed0c6d45759da0f3b05b8                       Troj/Rerol.A dropper                sophos.skypetm.com.tw
    5e2360a8c4a0cce1ae22919d8bff49fd                           Troj/ReRol.A                    sophos.skypetm.com.tw
    79e48961d1ee982a466d222671a42ccb                           Troj/ReRol.A                    sophos.skypetm.com.tw
    4ab74387f7a02c115deea2110f961fd3                             ReRol.A                       sophos.skypetm.com.tw
    bf95e89906b8a17fd611002660ffff32                           Troj/ReRol.A                    sophos.skypetm.com.tw
    CONTAINS VICTIM INFORMATION                     Office Word file - Rerol.A dropper         sophos.skypetm.com.tw
    4ce8593c9de2b27b5c389f651c81638b                             CT RAT                        newb02.skypetm.com.tw
    8df89df484ca5c376b763479ea08d036                             Paladin                       newb02.skypetm.com.tw
    22e47c5e3809a4150d0db7fc99a68cc0                    Office Excel file – Rerol.A             margo.skypetm.com.tw
                                                                 dropper
    dd87c68c1e71bb104a48a6be87a2349f                     Backdoor:Win32/Ptiger.A                ripper.skypetm.com.tw
    068870c2c165a1d29fc2f3d3edfed3ae                        Win32/Exadog.AA                       link.skypetm.com.tw
    Unknown                                              Backdoor:Win32/Ptiger.A                 asdf.skypetm.com.tw


    Public release
    Threat Intelligence
                                                 “The Eye of the Tiger”                                 Page : 33/58

                               Copyright © 2014 Airbus Defence & Space - All rights reserved
Operation Pitty Tiger – “The Eye of the Tiger”




                                   Skypetm.com.tw infrastructure: subdomains and malware linked to it



    Hosting Company       Geolocalisation        IP Range            IP Address          C&C server                Timeline


    Take 2 Hosting Inc.   San Jose, USA          173.252.192.0 -     173.252.198.103     newb02.skypetm.com.tw     Actually in use
                                                 173.252.255.255

    Hurricane Electric    Fremont USA            66.220.0.0 -        66.220.4.100        sophos.skypetm.com.tw     Actually in use
    Inc.                                         66.220.31.255

    Taiwan Academic       Taipei, Taiwan         210.60.0.0 -        210.60.141.45       botemail.skypetm.com.tw   2012-03-06
    Network                                      210.60.255.255

    Gorillaservers Inc.   Los Angeles, USA       198.100.96.0 -      198.100.121.15      sophos.skypetm.com.tw     ?
                                                 198.100.127.255

    Gorillaservers Inc.   Los Angeles, USA       198.100.96.0 -      198.100.121.15      margo.skypetm.com.tw      2013-11-22
                                                 198.100.127.255

    Webnx Inc.            Los Angeles, USA       216.18.192.0 -      216.18.208.4        botemail.skypetm.com.tw   2013-04-04/2013-
                                                 216.18.223.255                                                    12-16

    Webnx Inc.            Los Angeles, USA       216.18.192.0 -      216.18.208.4        qinoo.skypetm.com.tw      ?
                                                 216.18.223.255

    Data                  Taipei, Taiwan         59.112.0.0 -        59.120.84.230       botemail.skypetm.com.tw   2012-03-12/2012-
    Communication                                59.123.255.255                                                    04-28
    Business Group

    Data                  Taipei, Taiwan         211.75.128.0 -      211.75.195.1        super.skypetm.com.tw      2011-08-30/2013-
    Communication                                211.75.255.255                                                    12-16
    Business Group




    Public release
    Threat Intelligence
                                                             “The Eye of the Tiger”                                     Page : 34/58

                                           Copyright © 2014 Airbus Defence & Space - All rights reserved
Operation Pitty Tiger – “The Eye of the Tiger”




    Data              Taipei, Taiwan         61.220.0.0 -          61.220.44.244     aniu.skypetm.com.tw    2013-04-05/2013-
    Communication                            61.227.255.255                                                 12-16
    Business Group

    Data              Taipei, Taiwan         61.220.0.0 -          61.220.44.244     zeng.skypetm.com.tw    ?
    Communication                            61.227.255.255
    Business Group

    Data              Taipei, Taiwan         61.220.0.0 -          61.220.209.17     qinoo.skypetm.com.tw   ?
    Communication                            61.227.255.255
    Business Group

    New World         Hong Kong City,        113.10.169.0 -        113.10.169.162    margo.skypetm.com.tw   Actually in use
    Telephone Ltd.    Hong Kong              113.10.169.255

    New World         Hong Kong City,        58.64.185.0 -         58.64.185.200     zeng.skypetm.com.tw    2013-12-16/2013-
    Telephone Ltd.    Hong Kong              58.64.185.255                                                  12-16

    New World         Hong Kong City,        113.10.240.0 -        113.10.240.54     qinoo.skypetm.com.tw   ?
    Telephone Ltd.    Hong Kong              113.10.240.255

    New World         Hong Kong City,        113.10.221.0 -        113.10.221.126    zeng.skypetm.com.tw    ?
    Telephone Ltd.    Hong Kong              113.10.221.255

    New World         Hong Kong City,        113.10.240.0 -        113.10.240.50     link.skypetm.com.tw    2012-12-21/2013-
    Telephone Ltd.    Hong Kong              113.10.240.255                                                 12-16

    Asia Data (hong   Hong Kong City,        101.1.17.0 -          101.1.25.74       zeng.skypetm.com.tw    Actually in use
    Kong) Limited     Hong Kong              101.1.31.255

    Isp Satellite     Hong Kong City,        202.174.130.0 -       202.174.130.110   ms11.skypetm.com.tw    2011-02-27/2013-
    Broadband         Hong Kong              202.174.130.255                                                12-16
    Provider

    Jeongkyunghee     Anyang, South          221.144.0.0 -         221.150.164.114   link.skypetm.com.tw    2011-06-29/2012-
                      Korea                  221.168.255.255                                                12-18




             COMMON CHARACTERISTICS BETWEEN THE TWO DOMAINS
          Malware families and samples

    Avstore.com.tw and skypetm.com.tw have 4 malware families in common, communicating to
    subdomains of both domains:




    Public release
    Threat Intelligence
                                                            “The Eye of the Tiger”                               Page : 35/58

                                       Copyright © 2014 Airbus Defence & Space - All rights reserved
Operation Pitty Tiger – “The Eye of the Tiger”




             Links between malware samples, IP addresses and c&cs associated to avstore.com.tw and skypetm.com.tw




          OTHER DOMAINS LINKED WITH THE PITTY TIGER GROUP

    Domain                    Shares         with                             Comment

    paccfic.com               Whois          acers.com.tw,
                              information    foxcom.com.tw,
                                              dopodo.com.tw,
                                             stareastnet.com.tw


    webconference.com.tw      Whois          techsun.com.tw
                              information




    Public release
    Threat Intelligence
                                                     “The Eye of the Tiger”                           Page : 36/58

                                   Copyright © 2014 Airbus Defence & Space - All rights reserved
Operation Pitty Tiger – “The Eye of the Tiger”




                          IP Address     techsun.com.tw,
                                         trendmicro.org.tw



    stareastnet.com.tw    Whois          acers.com.tw,                     Two PittyTiger malware and a CT RAT have been
                          information    foxcom.com.tw,                    pointing to several stareastnet.com.tw subdomains.
                                         dopodo.com.tw,
                                         paccfic.com
                          IP Address     dopodo.com.tw,
                                         foxcom.com.tw,
                                         kimoo.com.tw,
                                         symantecs.com.tw
    symantecs.com.tw      Whois          trendmicroup.com                  A pittytiger dropper, a Paladin malware and a CT RAT have been
                          information                                      pointing to several symantecs.com.tw subdomains.
                          IP Address     dopodo.com.tw,
                                         foxcom.com.tw,
                                         kimoo.com.tw,
                                         stareastnet.com.tw,
                                         wmdshr.com,
                                         trendmicro.org.tw
    trendmicroup.com      Whois          symantecs.com.tw
                          information




    trendmicro.org.tw     Whois          Skypetm.com.tw,                   A paladin and a PittyTiger malware have been pointing to several
                          information    avstore.com.tw                    trendmicro.org.tw subdomains.
                          IP Address     webconference.com.tw,
                                         techsun.com.tw,
                                         skypetm.com.tw,
                                         kimoo.com.tw,
                                         symantecs.com.tw,
                                         hdskip.com
    lightening.com.tw     Whois          helosaf.com.tw,                   Paladin and PittyTiger samples has been pointing to several
                          information    seed01.com.tw                     lightening.org.tw subdomains.
                          IP Address     seed01.com.tw,
    techsun.com.tw        Whois          webconference.com.tw
                          information
                          IP Address     webconference.com.tw,
                                         trendmicro.org.tw
    dopodo.com.tw         Whois          acers.com.tw,
                          information    foxcom.com.tw,
                                         stareastnet.com.tw
                          IP Address     stareastnet.com.tw,
                                         symantecs.com.tw,
                                         kimoo.com.tw
    foxcom.com.tw         Whois          acers.com.tw,
                          information    dopodo.com.tw,
                                         stareastnet.com.tw
                          IP Address     stareastnet.com.tw,
                                         symantecs.com.tw,
                                         kimoo.com.tw
    acers.com.tw          Whois          acers.com.tw,
                          information    foxcom.com.tw,
                                         stareastnet.com.tw
                          IP Address     symantecs.com.tw,
                                         wmdshr.com,
                                         kimoo.com.tw

                                        Links between domains used by Pitty Tiger




    Public release
    Threat Intelligence
                                                  “The Eye of the Tiger”                                     Page : 37/58

                               Copyright © 2014 Airbus Defence & Space - All rights reserved
Operation Pitty Tiger – “The Eye of the Tiger”




                          Timeline of Pitty Tiger domains registration information, based on e-mail address

    Some domains registered by the group are very old. There is an increase in the registrations from
    2010 on. All the e-mail addresses used are connected to the Pitty Tiger group.




    Public release
    Threat Intelligence
                                                      “The Eye of the Tiger”                                  Page : 38/58

                                    Copyright © 2014 Airbus Defence & Space - All rights reserved
Operation Pitty Tiger – “The Eye of the Tiger”




    VICTIMS
    Mapping the victims of such a targeted campaign is not an easy task.

    We have found the Pitty Tiger group to be very active against one particular private company from
    the defense industry and one academic network of a government, , yet we think it was done to be
    used as a proxy for some of the group’s operations.

    We have also found some connections from other companies to the c&c servers, yet we did not find
    evidence that they were real victims.

    These alleged victims do work in different sectors and are located mostly in European countries.

           1 company from the defense industry;
           1 company from the energy industry;
           1 company from the telecommunications industry;
           1 company specialized in web development.

    It might be surprising to see a company specialized in web development here, yet it has built
    websites for interesting potential targets. We suspect Pitty Tiger to use this compromise to spear
    phish other companies which are in commercial relation with this web development company.

    We have to mention that we only had access to three of the several attackers’ servers. Therefore,
    we suppose the Pitty Tiger group could have more targets than what we could confirm.

    We also found a lot of vulnerability scanners launched by the attackers at different targets, yet there
    was no sign of compromise.

    During the course of our investigations, we discovered a RAR archive on the attacker’s server
    containing 5 Word documents and one small C source code. These documents belong to the
    defense company which has been compromised. According to the name of the files and the general
    feel of the archive, we do think it was extracted by the attackers to “show” someone what kind of
    data they could get from the compromise of that particular target. The documents were still
    exhibiting comments from various users, showing it was an ongoing work and not old documents.

    Interestingly enough, we saw a part of these documents appear on Virus-Total, with an additional
    “gift” from the attackers, a payload dropping a malware.

    There are only two options we can think of here:
        Someone from the same company has been targeted with this document.
        Someone from another company has been targeted with this document. This other company
           could be a partner or competitor.

    Since we were unable to determine the intended use of this specific document, we can only suppose
    that it could be used to provide commercial advantages to competitors of that company, or used by
    a foreign state.




    Public release
    Threat Intelligence
                                                “The Eye of the Tiger”                        Page : 39/58

                              Copyright © 2014 Airbus Defence & Space - All rights reserved
Operation Pitty Tiger – “The Eye of the Tiger”




    ATTACKERS
    During our investigation, we found out interesting information about the Pitty Tiger group itself. After
    analyzing the various collected elements, we have tried to draw a portrait of this particular threat.


          ATTACKER’S CONNECTIONS TO THE C&C

    We have been able to get all the RDP connections logs to one c&c server:

                     COMPUTER NAME              OCCURENCES IP ADDRESSES COUNTRY
                                                                         23.226.178.162             USA
                                                                          27.155.90.80              China
                                                                         27.155.110.81              China
                                                                         27.156.49.223              China
                                                                          58.64.177.60            Hong Kong
                                                                          59.53.91.33               China
                                                                         103.20.192.11            Hong Kong
                     50PZ80C-1DFDCB8                     65              110.90.60.250              China
                                                                          110.90.61.69              China
                                                                         110.90.62.185              China
                                                                         120.32.113.97              China
                                                                         120.32.114.209             China
                                                                         121.204.33.130             China
                                                                         121.204.33.153             China
                                                                         183.91.52.230            Hong Kong

                                                                          27.151.0.224              China
                                                                         27.155.109.89              China
                           FLY-THINK                     11
                                                                         121.204.88.120             China
                                                                         120.32.114.139             China
                          TIEWEISHIPC                     2              27.16.139.143              China
                           CHMXY-PC                       1                58.61.40.5               China
     RDP connections from attackers machines to one particular c&c, from beginning of April 2014 to beginning of July 2014

    These connections are either VPS or dynamic IP addresses, mostly from China.

    A computer named CHMXY-PC connected to the c&c via RDP with IP address 58.61.40.5. The IP is
    in an ADSL dynamic pool in the Gangzhou area (Guangdong province):




    Public release
    Threat Intelligence
                                                    “The Eye of the Tiger”                                  Page : 40/58

                                  Copyright © 2014 Airbus Defence & Space - All rights reserved
Operation Pitty Tiger – “The Eye of the Tiger”




                                          IP address used by CHMXY-PC

    A few connections to the c&c were done by a computer named TIEWEISHIPC with IP address
    27.16.139.143. This IP address belongs to an ADSL dynamic pool in the Wuhan area (Hubei’s
    provincial capital).




                                   IP address used by TIEWEISHIPC computer

    Some connections to the c&c originated from a computer named FLY-THINK with several IP
    addresses, all located in Fuqing (Fujian province). The IP addresses are in an ADSL dynamic pool:


    Public release
    Threat Intelligence
                                              “The Eye of the Tiger”                        Page : 41/58

                            Copyright © 2014 Airbus Defence & Space - All rights reserved
Operation Pitty Tiger – “The Eye of the Tiger”




                                  IP addresses used by the FLY-THINK machine



    Most of the connections to the c&c server were coming from a computer named 50PZ80C-
    1DFDCB8 with several IP addresses. There are 11 IP addresses from Chinese dynamic ADSL
    ranges: 9 from Fuqing (Fujian province), one from Fuzhou (Fujian’s province capital) and one from
    Nanchang (Jiangxi’s province capital). The last one came from a VPS instance located in Los
    Angeles (California, USA) but purchased by a China based VPS provider XeVPS which belong to
    the AS38197 (Sun Network Hong Kong Limited).




                              IP addresses used by the 50PZ80C-1DFDCB8 machine


    Public release
    Threat Intelligence
                                              “The Eye of the Tiger”                        Page : 42/58

                            Copyright © 2014 Airbus Defence & Space - All rights reserved
Operation Pitty Tiger – “The Eye of the Tiger”




    The two computers FLY-THINK and 50PZ80C-1DFDCB8 have used distinct IP addresses to
    connect to the c&c, yet some of these IP addresses come from the same IP range:




                          IP ranges overlapping between two machines used by the attackers

    We mapped these RDP connections to have a graphical view:




    Public release
    Threat Intelligence
                                               “The Eye of the Tiger”                        Page : 43/58

                             Copyright © 2014 Airbus Defence & Space - All rights reserved
Operation Pitty Tiger – “The Eye of the Tiger”




                                     RDP connections from the attackers to one c&c server


          “TOOT”

    We found that a member of this group of attackers used some tools on his own system, for testing
    purposes. This information was still available when we got access to the c&c server.

    He launched some tests with the CT RAT we exposed earlier:




                          User “Toot” logging on the CT RAT on machine “toot-2a601225a8”, 2014/02/10




    Public release
    Threat Intelligence
                                                     “The Eye of the Tiger”                            Page : 44/58

                                   Copyright © 2014 Airbus Defence & Space - All rights reserved
Operation Pitty Tiger – “The Eye of the Tiger”




                          User “Toot” logging on the CT RAT on machine “toot-2a601225a8”, 2014/04/09




                          User “Toot” logging on the CT RAT on machine “toot-2a601225a8”, 2014/04/09



    Here we can see a user “Toot” from a machine named “toot-2a601225a8” logging in the CT RAT
    and executing some commands. The c&c IP address, 198.100.113.27, can be seen there. Other log
    files showed that “Toot” is using virtual machines for his tests.

    We can also see the system: Microsoft Windows XP SP3. The “P” field is the language ID.


    Public release
    Threat Intelligence
                                                     “The Eye of the Tiger”                            Page : 45/58

                                   Copyright © 2014 Airbus Defence & Space - All rights reserved
Operation Pitty Tiger – “The Eye of the Tiger”




    1028 means “Chinese traditional”. We have also seen tests run by “toot” with a language ID of 2052,
    which is “Chinese simplified”.

    The “M” field is probably used for versioning. It is a hardcoded string in the binary.

    After these tests, we could see some real connections to a victim using this RAT. Here is a follow-up
    of the commands launched by the bot controller, in a standard command-line shell:

    Command                                       Effect
    cd\temp                                       Folder change
    Dir                                           Lists the content of the folder. The
                                                  attacker here is probably looking for his
                                                  tools and does not remember if they
                                                  are there or in system32.
    cd\windows\system32                           Folder change
    dir tools*                                    Looking for tools.exe, a tool to fetch
                                                  different kind of credentials on the
                                                  system
    tools                                         The attacker wants to see what the
                                                  options are for the tool.
    tools –all                                    Tools.exe is launched.
                                                  At this point, the output shows the
                                                  attackers only gets successfully one
                                                  MSN credential in clear text, login and
                                                  password, and one Microsoft Outlook
                                                  credential.
    type iecache.txt                              Shows the Internet Explorer cache to
                                                  the attacker. The output is huge.
    dir cmd.exe                                   Looking for cmd.exe
    del tools.exe                                 Remove the tools.exe after its use
    dir tools.exe                                 Checks to see if it has been
                                                  successfully deleted
    del iecache.txt                               Removes the IE cache log file.
    regedit -e 1.reg                              Dumps the content of this key to a file
    "HKEY_CURRENT_USER\Software\Microsoft\Windows named 1.reg
    NT\CurrentVersion\Windows"
    type 1.reg                                    Checks if dump has been successful.
    del 1.reg                                     Deletes the dump
    regedit -e v1.reg                             Do it again, we do not know why the
    "HKEY_CURRENT_USER\Software\Microsoft\Windows attacker does this the output is the
    NT\CurrentVersion\Windows"                    same as for previous regedit command
    type v1.reg                                   Checks the dump again
    dir *.reg                                     Looking for traces left in this folder
    del v1.reg                                    Deletes the one *.reg file left.
    del c:\windows\system32\mfqtirq.exe           Removes a binary used in the attack
    del c:\windows\system32\crupalo.dll           Removes a binary used in the attack
    dir c:\windows\system32\mfqtirq.exe           Checks      if   removal      has      been
                                                  successfull
    dir c:\windows\system32\crupalo.dll           Checks      if   removal      has      been

    Public release
    Threat Intelligence
                                                 “The Eye of the Tiger”                        Page : 46/58

                               Copyright © 2014 Airbus Defence & Space - All rights reserved
Operation Pitty Tiger – “The Eye of the Tiger”




                                                                           successfull
    tasklist                                                               Displays the list of applications and
                                                                           services for all tasks running on the
                                                                           computer
    tasklist >1.txt                                                        Stores the output of the previous
                                                                           command in 1.txt
    type 1.txt                                                             Checks the content
    del 1.txt                                                              Removes the content
    net start                                                              Lists all services running on the
                                                                           machine
    dir mailpv*                                                            Looks for “MailPass View”, a tool to
                                                                           extract e-mail passwords from various
                                                                           e-mail clients
    mailpv /stext 1.txt                                                    Launches MailPass View and requests
                                                                           the output to be generated as a text file
                                                                           named 1.txt
    type 1.txt                                                             Looks for the content :
                                                                                One MSN login/password
                                                                                One login/password for a POP3
                                                                                   e-mail account related to the
                                                                                   targeted entity
    del mailpv.exe 1.txt                                                   Deletes both files
    dir iepv*                                                              Looks for “IE PassView” tool, to extract
                                                                           passwords from Internet Explorer.
                                                                           Public domain.
    iepv /stext 1.txt                                                      Launches the tool, output is a text file
                                                                           named 1.txt
    type 1.txt                                                             Looks for the output: none
    del iepv.exe 1.txt                                                     Deletes both files

    The attacker goes on like this, using his tools, and then ends the communication with this RAT on
    that computer.

    Please note that at this point, the attacker has at least the privileges of a local administrator, since
    he is allowed to write content in the system32 folder of a Windows XP system. He could also gain
    the credentials to a sensitive e-mail account.

    In addition to all information already shown, we saw Toot connect to an account on a cloud service
    named “Baidu Drive”. The e-mail address linked to this account is dyanmips@qq.com (QQ-ID:
    2589315828). We could find traces of two other e-mail accounts associated to Toot,
    cisco_dyanmips@qq.com (QQ ID: 204156335) and cisco_dynamips@qq.com (QQ ID:
    1878836793).

    We did not find more information about user “Toot”, yet we miss Chinese language capabilities.




    Public release
    Threat Intelligence
                                                “The Eye of the Tiger”                             Page : 47/58

                              Copyright © 2014 Airbus Defence & Space - All rights reserved
Operation Pitty Tiger – “The Eye of the Tiger”




          “COLD & SNOW”
    The controller part of CT RAT/PittyTiger RAT revealed the following “about” information, once
    translated from Chinese to English language:

                 CT console (compatible pittytiger) v1.3
                 2013.12 by Trees and snow


    We believe this translation of the author’s name might not be accurate due to the use of automated
    translation tools. Moreover, we have strong suspicions that there is not a single individual
    nicknamed “Trees and snow” but rather two programmers nicknamed “Trees” and “Snow”. “Trees”
    could also be “Cold”. We noticed that the symbol for this word is translated differently according to
    the context it is used in. Once again, we lack Chinese language skills.

    We identify the two nicknames on the current campaign as Automn Snow (秋雪) and Cold Air Kiss (
    风吻寒).

    While we are confident that these people are indeed the developers of both PittyTiger and CT RAT
    malware, we are not sure they belong to the PittyTiger group. These developers might just have
    been hired to develop these RATs. They might also just be selling it to the PittyTiger group. There is
    no trace of usage from other attacking groups, we believe the PittyTiger RAT is exclusively used by
    this group of attackers.



          ROLES AND ORGANIZATION
    According to indicators we gathered and threat activities profiling we have some hypothesis on the
    way the group is conducting its operations.

    We have strong evidence of a bot operator position. We identify one nickname for this position, the
    user known as TooT. As we did not see other nickname, we think that TooT is one person and not a
    group of persons.

    We also identified a malware development position. We identified two nicknames for this position on
    the current campaign, Automn Snow (秋雪) and Cold Air Kiss ( 风吻寒). Yet we are unsure that they
    belong to the group, they might just be a third party providing or selling their malware.

    We have a strong suspicion of a coordinator position, which coordinates the bot operator, provides
    him with some logistics support (weaponized document, tools…) and reviews the programmers
    work. This position could imply a communication channel with another manager.
    We named this position ‘Chen’, in relation with several references of this common Chinese name in
    c&c WHOIS and other investigation materials.

    We have some suspicion of a customer relationship manager position that may act as an interface
    between a customer and Chen. We named this position ‘Lilly’.




    Public release
    Threat Intelligence
                                                “The Eye of the Tiger”                        Page : 48/58

                              Copyright © 2014 Airbus Defence & Space - All rights reserved
Operation Pitty Tiger – “The Eye of the Tiger”




                                         Proposal for PittyTiger team structure


          ATTACKERS ARSENAL
    The c&c servers used by the attackers revealed a lot of interesting files stored in various folders:

    Filename                    Description                                                   Public tool ?
    32m.exe    /   3200.exe   / MM RAT                                                        No
    ieupdate.exe / insert.exe /
    khuvaxu.exe
    32mm.exe / mm32.exe         CT RAT                                                        No
    322.exe                     Chinese version of calc.exe, probably for                     Yes
                                testing purposes
    client.exe                  File transfer tool, via pipes                                 No
    CP.exe/CP_sep.exe           Microsoft Outlook dumper                                      No
    CT.exe                      Controller for CT RAT (2013.10)                               No
    ct1.exe                     Controller for both CT RAT and PittyTiger RAT                 No
    Diruse.exe                  Tool to display disk usage for a directory tree               Yes
    GlobalWind.exe              Controller for Pitty Tiger                                    No
    gsec1.exe                   GSecDump password dumper                                      Yes
    http.exe/wsup.exe           Controller for MM RAT                                         No


    Public release
    Threat Intelligence
                                                “The Eye of the Tiger”                          Page : 49/58

                              Copyright © 2014 Airbus Defence & Space - All rights reserved
Operation Pitty Tiger – “The Eye of the Tiger”




    km.exe                              “Toyi” keylogger                                       No
    logreader.exe                       Tool to decrypt the km.exe keylogger data              No
    Mailpv.exe                          “Mail PassView” tool, to extract e-mail                Yes
                                        passwords from various e-mail clients.
    Netpass.exe                         “Network Password Recovery” tool, to extract           Yes
                                        network passwords.
    iepv.exe /iepv-jiake.exe            “IE PassView” tool, to extract passwords from          Yes
                                        Internet Explorer.
                                        The file iepv-jiake.exe is the same, but crypted
                                        using a tool named DarkCrypt (DarkCrpt).
    routerpass.exe                      “Router PassView” tool, to extract credentials         Yes
                                        in some router backup files.
    pstpass.exe                         “PstPassword” tool, to extract Outlook’s PST           Yes
                                        files passwords.
    vncpass.exe                         “VNCPassView” tool, to extract passwords               Yes
                                        stored by the VNC tool.
    rdpv.exe                            “Remote Desktop PassView” tool, to extract             Yes
                                        the passwords from .RDP files.
    lookpass.exe                        Password revealer.                                     Yes
    tools.exe, res.exe                  Multi             password              dumper:        No
                                        RDP,VNC,IE,ProtectedStorage,MSN,Wireless,
                                        etc.
    p2012.exe                           Controller for Paladin 2.1                             No
    p.exe                               Controller for Paladin 2.2                             No
    po.exe                              TCP Tunneling tool.                                    No
    pp.exe                              Controller for Paladin 2.1                             No
    pr.exe                              Dotpot port scanner.                                   Yes
    rar.exe                             Rar archiving tool, command-line version.              Yes
    sff.exe                             File-searching tool to hunt for doc,txt,mdb,           No
                                        sec,eml,vsd,ppt,pps,dbx (SearchFile).
    ssql.exe                            MySQL scanner.                                         No
    w7ij32.exe                          Windows 7 DLL injector.                                No
    ToyI.dll                            Keylogger. Can be used with w7ij32.exe                 No
    winspre.exe                         Troj/ReRol.A                                           No
    dr.asp                              Front-end for Troj/ReRol.A.                            No
    sk.exe                              Snake’s SkServer.                                      Yes
    Fluxay5Beta1                        Vulnerability scanner                                  Yes
    feitafanghuoqiang                   Fortinet vulnerability scanner                         No
    Hscan1.2                            Vulnerability scanner                                  Yes
    mimi.exe, mimikaz64.exe             Mimikatz password dumper                               Yes
    o2scan                              Vulnerability scanner                                  Yes
    Openssl                             Heartbleed Exploit                                     Yes
    X-Scan-v3.3                         X-Scan vulnerability scanner                           Yes
    8uFTP                               FTP client                                             Yes
    NcFTP                               FTP client                                             Yes
    SEPM exploit                        Remote command execution exploit on                    Yes
                                        Symantec Endpoint Protection Manager (CVE-
                                        2013-5014, CVE 2013-5015)

    Public release
    Threat Intelligence
                                                 “The Eye of the Tiger”                         Page : 50/58

                               Copyright © 2014 Airbus Defence & Space - All rights reserved
Operation Pitty Tiger – “The Eye of the Tiger”




    s.exe                                   PHP Scanner                                                 No
    Shanian Port Scanner                    Port scanner                                                Yes

    This is quite the usual arsenal for a group of APT attackers:

           Malware (Troj/ReRol.A)
           Remote Administration Tools (MM RAT, CT RAT, Pitty Tiger, Paladin)
           E-mail espionage tools (cp.exe, mailpv.exe)
           Passwords dumpers (gsecdump, NirSoft tools, Mimikatz etc.)
           Network scanners (pr.exe)
           Network-oriented tools (po.exe)
           Vulnerability scanners (ssql.exe, Fluxay, etc.)

    What is rare to find is the controller part of those tools. We have been lucky enough to get the
    controller part of Pitty Tiger and CT RAT, and even to get a kind of hybrid controller made for CT
    RAT but also supporting Pitty Tiger. We suppose that the CT RAT is the new evolution of Pitty Tiger
    and that it will replace Pitty Tiger in the following months.

    The presence of a Chinese version of “calc.exe”, the official calculator provided in Microsoft
    Windows, is interesting. Not only is it one more indicator of a probable Chinese origin, but also an
    indicator that this server was probably used as a test base, in addition to being operational and
    controlling infected machines from different targets.

    In addition to those tools, we found some interesting scripts. A script named ipc.bat uses a file
    named user.txt to try to brute-force a shared folder access:

                     for /f "tokens=1,2 delims= " %%i in (user.txt) do (net use \\<TARGETEDIP>\ipc$ "%%j" /u:%%i)
                     && (net use \\<TARGETEDIP> /del) && (echo user:%%i pass:%%j>>succ.txt)
                            One script used to brute-force a network share inside a company’s network

    The user.txt file contains thousands of lines, each one being a couple of one particular username
    and one password attempt:

                     administrator nameofonetargetedcompany
                     administrator !Password
                     administrator azerty123
                     …
                     administrateurnameofonetargetedcompany
                     administrateur !Password
                     administrateur azerty123
                     …
                     <username>nameofonetargetedcompany
                     <username> !Password
                     <username> azerty123
                     …
                     <anotheruser>nameofonetargetedcompany
                     <anotheruser> !Password
                     <anotheruser> azerty123
                     …
                                Anonymized dictionary file used for brute-forcing a network share


    Public release
    Threat Intelligence
                                                     “The Eye of the Tiger”                              Page : 51/58

                                   Copyright © 2014 Airbus Defence & Space - All rights reserved
Operation Pitty Tiger – “The Eye of the Tiger”




    This user.txt file has been anonymized, yet we wanted to give you the feel for it. This file is 67320
    lines long, and uses 5610 different passwords for each of 12 users contained in this file. The user
    names are clearly the result from a user enumeration and are dedicated to a particular French
    victim.

    The passwords listed in this file are either build from several campaigns or from the current
    campaign. A lot of passwords are related to the targeted company and might be previous passwords
    from users.

    We have also discovered a pack of files which can be used to trigger an Internet Explorer
    vulnerability (CVE-2014-0322). The date of these files, namely Tope.swf and index.html, was
    2014/02/18, a few days after the revelation of existing exploits in the wild used in APT attacks1.

    We do not know if the Pitty Tiger group used this exploit or not, but found no trace indicating they
    did. A lot of different attackers seem to have used that vulnerability since.




    1
     http://www.symantec.com/connect/blogs/new-internet-explorer-10-zero-day-discovered-watering-
       hole-attack
    Public release
    Threat Intelligence
                                               “The Eye of the Tiger”                        Page : 52/58

                             Copyright © 2014 Airbus Defence & Space - All rights reserved
Operation Pitty Tiger – “The Eye of the Tiger”




    ATTRIBUTION
    Determining who is exactly behind an APT campaign is difficult. We tried to extract different
    technical indicators, together with contextual elements.

    Information relating to the tools used by the attackers has been leveraged for attribution:

           Several Chinese vulnerability scanners have been launched against targets;
           Several Chinese tools have been used and found on the c&c servers of the attackers:
            8uFTP, a Chinese version of calc.exe, etc.;
           Two of the used RATs have been developed by the same developers: CT RAT and
            PittyTiger RAT. The controllers for these RATs show Chinese language;
           Several binaries used by the attackers show either “Chinese - China” or “Chinese-Taiwan”
            language ID in their resources;
           A decoy Word document has been found, written in Chinese language;

    The IP addresses used for the hosting of the c&c domains are mainly located in Taipei (Taïwan) and
    Hong Kong City (Hong Kong Special Administrative Region, PRC):




    Public release
    Threat Intelligence
                                                “The Eye of the Tiger”                        Page : 53/58

                              Copyright © 2014 Airbus Defence & Space - All rights reserved
Operation Pitty Tiger – “The Eye of the Tiger”




                          Hosting information links for the c&c servers used in this campaign



    Most RDP connections to the c&c infrastructure come from Chinese IP ranges in Fuqing (Fujian
    province, PRC). Yet some IP addresses in the USA and in Hong Kong have also been found;




    Public release
    Threat Intelligence
                                               “The Eye of the Tiger”                           Page : 54/58

                             Copyright © 2014 Airbus Defence & Space - All rights reserved
Operation Pitty Tiger – “The Eye of the Tiger”




                                RDP connections from attackers to the c&c infrastructure


    All the items listed in this chapter are strong indicators that the attackers might be Chinese.




    Public release
    Threat Intelligence
                                                “The Eye of the Tiger”                        Page : 55/58

                              Copyright © 2014 Airbus Defence & Space - All rights reserved
Operation Pitty Tiger – “The Eye of the Tiger”




    CONCLUSION
    Pitty Tiger is a group of attackers that have been active since at least 2011.

    Pitty Tiger is effective and mature in the use of targeted malware, the use of known exploits to infect
    computers with their malware and the creation of an infrastructure to efficiently conduct APT attacks.

    They are quite unprofessional in their way of using their infrastructure: they do launch vulnerability
    scanners directly from a c&c server and also use their connection for personal activities
    (downloading pornographic material for example, as we have seen a whole folder on a c&c server
    full of xxx torrent links).

    Pitty Tiger is probably not a state-sponsored group of attackers. The attackers lack the experience
    and financial support that one would expect from state-sponsored attackers. We suppose this group
    is opportunistic and sells its services to probable competitors of their targets in the private sector.

    One governmental network has been targeted by the group, yet we do not have any evidence of the
    purpose of this attack. We suppose this particular attack has been executed to provide a usable
    bounce for the group.

    The campaign we studied has been largely focused on one particular target. We suspect the Pitty
    Tiger group to work according to an opportunistic business model: this group might offer its services
    to third parties from the private sector.

    This group seems to be very small compared to other APT groups. We have leveraged several
    profiles and could identify some attackers to a certain extent. We believe this group might keep
    working as it is now, with limited budgets, or grow to extend its attacking campaign capabilities.




    Public release
    Threat Intelligence
                                                “The Eye of the Tiger”                        Page : 56/58

                              Copyright © 2014 Airbus Defence & Space - All rights reserved
Operation Pitty Tiger – “The Eye of the Tiger”




    INDICATORS
    This list of indicators is provided in order to help people detect Pitty Tiger APT campaign.


          DOMAINS
    Domains used by the Pitty Tiger group: (please note several subdomains are used, as seen in the
    report)

    acers.com.tw
    kimoo.com.tw
    paccfic.com
    foxcom.com.tw
    dopodo.com.tw
    trendmicroup.com
    lightening.com.tw
    avstore.com.tw
    helosaf.com.tw
    trendmicro.org.tw
    stareastnet.com.tw
    symantecs.com.tw
    seed01.com.tw
    skypetm.com.tw




          MALWARE HASHES

                      MD5 Hashes                                                       Malware Family
    dc3d905ed90bbc148bccd34fe0c94d2d
    dd87c68c1e71bb104a48a6be87a2349f
    a494010a51705f7720d3cd378a31733a
    be18418cafdb9f86303f7e419a389cc9
    0750569cf1733d4fbb01169476387cc2
    3282a5e77f24c645984ef152a2aea874                                                    PittyTiger RAT
    8a54adb3976d1c03605656ca55be7400
    666ae21ceaea9bb8017a967ea6128add
    a1ea6dc12b983c7262fe76c1b3663b24
    d5da60d678d5a55a847e1e6723c7a4d0
    55e456339936a56c73a7883ea1ddb672
    abb0abfab252e45bfb9106273df3c1c2
    4ab74387f7a02c115deea2110f961fd3
    b6380439ff9ed0c6d45759da0f3b05b8
    bf95e89906b8a17fd611002660ffff32
    ce15fa3338b7fe780e85c511d5e49a98                                                     Troj/ReRol.A
    5e2360a8c4a0cce1ae22919d8bff49fd
    12854bb8d1e6a590e1bd578267e4f8c9
    5e2360a8c4a0cce1ae22919d8bff49fd

    Public release
    Threat Intelligence
                                                “The Eye of the Tiger”                                  Page : 57/58

                              Copyright © 2014 Airbus Defence & Space - All rights reserved
Operation Pitty Tiger – “The Eye of the Tiger”




    c0656b66b9f4180e59e1fd2f9f1a85f2
    79e48961d1ee982a466d222671a42ccb
    33714886dad497d6f0ecc255f0399004
    3b498f19d467d2b8d4c778a92cacae9a
    f71b374d341dc55b9b825531ba843f6d
    8df89df484ca5c376b763479ea08d036                                                   Paladin RAT
    0d3b3b422044759b4a08a7ad8afe55c7
    789c23dfcd67a5543769a3f0261ea325
    96a59b9813202734f59ae809105e73d1
    26be2cbb00158dfab6c81976d93748e8
    e7dc3bbe8b38b7ee0e797a0e27635cfa
    4ce8593c9de2b27b5c389f651c81638b                                                        CT RAT
    f65dc0b3eeb3c393e89ab49a3fac95a8
    b0a4302789e9716705d30ad1f8775a84
    81fa811f56247c236566d430ae4798eb                                        MM RAT (aka Troj/Goldsun-B)
    3654496539faedfe137a1f989359aef0                                                Leo RAT




          MALWARE STRINGS

              Strings (File/Network)                         Data type                         Malware Family
    /FC001/GET                                    File string / Network string                  PittyTiger RAT
    ---PittyTiger                                            File string                        PittyTiger RAT
    netsvcs_0x%d                                             File string                         Paladin RAT
    \MSREVT.SRG                                              File string                         Paladin RAT
    /httpdocs/mm/<bot_id>/ComMand.sec                      Network string                          MM RAT
    /httpdocs/prx.sec                                      Network string                          MM RAT
    CmdShell closed.                                         File string                           MM RAT
    get file ok %u bytes                                     File string                            CT RAT
    ok sleep %d minutes.                                     File string                            CT RAT
    can't open mmfile                                        File string                         Troj/ReRol.A
    Mozilla/4.0 (compatible;)                               User-Agent                           Troj/ReRol.A
    /dr.asp                                                Network string                        Troj/ReRol.A




    Public release
    Threat Intelligence
                                              “The Eye of the Tiger”                                 Page : 58/58

                            Copyright © 2014 Airbus Defence & Space - All rights reserved
