Security Experts:

"Pitty Tiger" Threat Actors Possibly Active Since 2008: FireEye

Researchers at FireEye have analyzed the operations of the advanced persistent threat (APT) group dubbed "Pitty Tiger," and determined that it might have been active since as far back as 2008.

The activities of the Pitty Tiger (PDF) group were first brought to light in mid-July by the cybersecurity unit at Airbus Defense & Space. Airbus researchers determined that the attackers, which are believed to be operating from China, have been active since at least 2011, but FireEye has found evidence to suggest that they've been targeting organizations for much longer.

Tiger Eye MalwareAccording to the security firm, the threat group uses a combination of spear phishing emails, social engineering, email phishing pages, malware and other tools to accomplish their goals. The spear phishing emails analyzed by FireEye have been written in French, English and Chinese.

In a recent attack against a French company, the attackers sent out emails written in English and French that appeared to come from someone within the targeted organization. The malicious messages carried harmless-looking Microsoft Word documents that were set up to drop a first-stage payload, Backdoor.APT.Pgift (Troj/ReRol.A), by exploiting both old (CVE-2012-0158) and new (CVE-2014-1761) vulnerabilities affecting the Microsoft Office suite.

Once it infects a computer, the Trojan sends some information on the compromised device back to its command and control (C&C) server, after which it downloads the second-stage malware.

This wasn't the first time researchers identified an attack using Backdoor.APT.Pgift. The same threat was spotted at the beginning of 2014 in a campaign targeted at an organization in Taiwan. This, coupled with the fact that many of the C&C servers used by the cybercriminals are hosted on .tw domains, indicates that the attackers are interested in Taiwan as well, FireEye said.

The threat group has been using several pieces of malware over the past years. Based on samples that connected to the domain names used in their operations, the security firm believes the attackers relied on the notorious PoisonIvy during 2008 and 2009.

Backdoor.APT.PittyTiger1.3 (CT RAT) has also been used, most likely as a second-stage malware since it provides attackers with a remote shell on the compromised system. Backdoor.APT.PittyTiger is a piece of malware leveraged by the group in 2012 and 2013. The threat is capable of capturing screenshots, uploading and downloading files, and providing a remote shell. Backdoor.APT.Lurid, and variants of Gh0st RAT, including Paladin RAT and Leo RAT, have also been used by the Pitty Tiger group, FireEye reported on Thursday.

The company has also confirmed Airbus' findings regarding the APT group's use of zero-day exploits.

"We have not observed these attackers using 0day exploits; rather, they appear to acquire access to builders that are more widely distributed that can be used to create malicious documents," Nart Villeneuve and Joshua Homan noted in a blog post.

view counter
Eduard Kovacs (@EduardKovacs) is a contributing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.