This site uses cookies. By continuing to browse this site you are agreeing to our use of cookies. Find out more.X

Pitty Tiger APT exploits older version Office flaws

Share this article:

The Pitty Tiger APT has been targeting telcos, defence companies and at least one government in a cyber-espionage campaign that relies on spear phishing and malware prying on vulnerabilities in Microsoft Office.

Pitty Tiger APT exploits older version Office flaws
Pitty Tiger APT exploits older version Office flaws

In a new whitepaper, security experts at Airbus Defence & Space Cybersecurity Unit (formerly Cassidian CyberSecurity) detail how the APT has been undetected since at least 2011 and say that its operators have been reliant on an assortment of different malware, including some developed exclusively by the threat actor.

Instead of looking to exploit any zero-day vulnerability, the group relies “extensively” on spear phishing, malware and vulnerabilities existing on older versions of Microsoft Office as well as the Heartbleed bug, which continues to affect some 300,000 open-source web servers worldwide.

The campaign apparently starts with a phishing email, with one example promising a holiday along with a Microsoft Office Word attachment. Airbus admits that this is “amateur” – with the attached Word file triggering a CVE-2014-1761 to infect the computer with Troj/ReRol.A malware, while others relied on the older CVE-2012-0158 vulnerability, which effected MS Office versions 2003 through to 2010, SQL Server and other popular enterprise software applications.

Researchers believe that the group have also sent spear-phishing emails.

“This could mean that the Pitty Tiger group is using stolen material as spear-phishing content, either to target other persons in the compromised company, or to target other persons in a competitor's company, or more generally to compromise another target,” reads the white paper.

The report's authors are in little doubt that the group behind the APT is not state-sponsored, despite the RATs, tools (including vulnerability scanner), binaries and language used pointing to China as the origin of the group.

“They lack the experience and financial support that one would expect from state-sponsored attackers. We suppose this group is opportunistic and sells its services to probable competitors of their targets in the private sector.”

“We have been able to leverage several attackers profiles, showing that the Pitty Tiger group is fairly small compared to other APT groups, which is probably why we saw them work on a very limited amount of targets in an unusual malware sample in June.”

The group uses an assortment of malware and tools during their APT operations in addition to PittyTiger remote access Trojan (APT). A variant of infamous ‘Gh0st' RAT (otherwise known as “Paladin”) has been used repeatedly by group, together with some other RATs that appear to have been developed exclusively for the campaign (the MM RAT – aka Troj/Goldsun-B – and Gh0st RAT variant “Leo”).

The Troj/ReRol.A malware is the most commonly used for this cyber-espionage campaign and is used to infect workstations, collect system information and to install even more malware. “It acts as first stage download and system data collector often used in the initial compromise of the Pitty Tiger campaigns, generally embedded in Microsoft Office documents.”

Researchers were able to get this insight due to server mis-configurations enabling them to collect information from the three C&C servers used by this group of attackers from end of 2013 to July 2014.

Intriguingly, the firm also testified that the cyber-criminals were able to successfully collect information on some of their targets by exploiting the Heartbleed bug – which allows information that would be usually be protected by SSL/TLS encryption to be stolen. The Pitty Tiger group was able to get administrator credentials for at least one target in this way.

Page 1 of 2
Share this article:

SC webcasts on demand

This is how to secure data in the cloud


Exclusive video webcast & Q&A sponsored by Vormetric


As enterprises look to take advantage of the cloud, they need to understand the importance of safeguarding their confidential and sensitive data in cloud environments. With the appropriate security safeguards, such as fine-grained access policies, a move to the cloud is as, or more, secure than an on-premise data storage.


View the webcast here to find out more

More in News

Turn off WPS on routers for WiFi security

Turn off WPS on routers for WiFi security ...

A Swiss researcher is advocating turning off WPS to secure routers after finding a flaw that eliminates the randomness of codes generated by some routers when WPS is switched on...

Apple's iCloud hacked, nude celeb photos posted

Apple's iCloud hacked, nude celeb photos posted

Questions have been raised about the security of Apple's iCloud service, after a hacker posted nude pictures of celebrities to the 4Chan forum, claiming they were obtained after a hack ...