In a new whitepaper, security experts at Airbus Defence & Space Cybersecurity Unit (formerly Cassidian CyberSecurity) detail how the APT has been undetected since at least 2011 and say that its operators have been reliant on an assortment of different malware, including some developed exclusively by the threat actor.
Instead of looking to exploit any zero-day vulnerability, the group relies “extensively” on spear phishing, malware and vulnerabilities existing on older versions of Microsoft Office as well as the Heartbleed bug, which continues to affect some 300,000 open-source web servers worldwide.
The campaign apparently starts with a phishing email, with one example promising a holiday along with a Microsoft Office Word attachment. Airbus admits that this is “amateur” – with the attached Word file triggering a CVE-2014-1761 to infect the computer with Troj/ReRol.A malware, while others relied on the older CVE-2012-0158 vulnerability, which effected MS Office versions 2003 through to 2010, SQL Server and other popular enterprise software applications.
Researchers believe that the group have also sent spear-phishing emails.
“This could mean that the Pitty Tiger group is using stolen material as spear-phishing content, either to target other persons in the compromised company, or to target other persons in a competitor's company, or more generally to compromise another target,” reads the white paper.
The report's authors are in little doubt that the group behind the APT is not state-sponsored, despite the RATs, tools (including vulnerability scanner), binaries and language used pointing to China as the origin of the group.
“They lack the experience and financial support that one would expect from state-sponsored attackers. We suppose this group is opportunistic and sells its services to probable competitors of their targets in the private sector.”
“We have been able to leverage several attackers profiles, showing that the Pitty Tiger group is fairly small compared to other APT groups, which is probably why we saw them work on a very limited amount of targets in an unusual malware sample in June.”
The group uses an assortment of malware and tools during their APT operations in addition to PittyTiger remote access Trojan (APT). A variant of infamous ‘Gh0st' RAT (otherwise known as “Paladin”) has been used repeatedly by group, together with some other RATs that appear to have been developed exclusively for the campaign (the MM RAT – aka Troj/Goldsun-B – and Gh0st RAT variant “Leo”).
The Troj/ReRol.A malware is the most commonly used for this cyber-espionage campaign and is used to infect workstations, collect system information and to install even more malware. “It acts as first stage download and system data collector often used in the initial compromise of the Pitty Tiger campaigns, generally embedded in Microsoft Office documents.”
Researchers were able to get this insight due to server mis-configurations enabling them to collect information from the three C&C servers used by this group of attackers from end of 2013 to July 2014.
Intriguingly, the firm also testified that the cyber-criminals were able to successfully collect information on some of their targets by exploiting the Heartbleed bug – which allows information that would be usually be protected by SSL/TLS encryption to be stolen. The Pitty Tiger group was able to get administrator credentials for at least one target in this way.