Security Experts:

Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Cybercrime

“Pitty Tiger” Threat Actors Possibly Active Since 2008: FireEye

Researchers at FireEye have analyzed the operations of the advanced persistent threat (APT) group dubbed “Pitty Tiger,” and determined that it might have been active since as far back as 2008.

Researchers at FireEye have analyzed the operations of the advanced persistent threat (APT) group dubbed “Pitty Tiger,” and determined that it might have been active since as far back as 2008.

The activities of the Pitty Tiger (PDF) group were first brought to light in mid-July by the cybersecurity unit at Airbus Defense & Space. Airbus researchers determined that the attackers, which are believed to be operating from China, have been active since at least 2011, but FireEye has found evidence to suggest that they’ve been targeting organizations for much longer.

Tiger Eye MalwareAccording to the security firm, the threat group uses a combination of spear phishing emails, social engineering, email phishing pages, malware and other tools to accomplish their goals. The spear phishing emails analyzed by FireEye have been written in French, English and Chinese.

In a recent attack against a French company, the attackers sent out emails written in English and French that appeared to come from someone within the targeted organization. The malicious messages carried harmless-looking Microsoft Word documents that were set up to drop a first-stage payload, Backdoor.APT.Pgift (Troj/ReRol.A), by exploiting both old (CVE-2012-0158) and new (CVE-2014-1761) vulnerabilities affecting the Microsoft Office suite.

Once it infects a computer, the Trojan sends some information on the compromised device back to its command and control (C&C) server, after which it downloads the second-stage malware.

This wasn’t the first time researchers identified an attack using Backdoor.APT.Pgift. The same threat was spotted at the beginning of 2014 in a campaign targeted at an organization in Taiwan. This, coupled with the fact that many of the C&C servers used by the cybercriminals are hosted on .tw domains, indicates that the attackers are interested in Taiwan as well, FireEye said.

The threat group has been using several pieces of malware over the past years. Based on samples that connected to the domain names used in their operations, the security firm believes the attackers relied on the notorious PoisonIvy during 2008 and 2009.

Backdoor.APT.PittyTiger1.3 (CT RAT) has also been used, most likely as a second-stage malware since it provides attackers with a remote shell on the compromised system. Backdoor.APT.PittyTiger is a piece of malware leveraged by the group in 2012 and 2013. The threat is capable of capturing screenshots, uploading and downloading files, and providing a remote shell. Backdoor.APT.Lurid, and variants of Gh0st RAT, including Paladin RAT and Leo RAT, have also been used by the Pitty Tiger group, FireEye reported on Thursday.

The company has also confirmed Airbus’ findings regarding the APT group’s use of zero-day exploits.

“We have not observed these attackers using 0day exploits; rather, they appear to acquire access to builders that are more widely distributed that can be used to create malicious documents,” Nart Villeneuve and Joshua Homan noted in a blog post.

Written By

Eduard Kovacs (@EduardKovacs) is a contributing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Expert Insights

Related Content

Cybercrime

Zendesk is informing customers about a data breach that started with an SMS phishing campaign targeting the company’s employees.

Cybercrime

The release of OpenAI’s ChatGPT in late 2022 has demonstrated the potential of AI for both good and bad.

Data Breaches

GoTo said an unidentified threat actor stole encrypted backups and an encryption key for a portion of that data during a 2022 breach.

Cybercrime

The FBI dismantled the network of the prolific Hive ransomware gang and seized infrastructure in Los Angeles that was used for the operation.

Malware & Threats

Microsoft plans to improve the protection of Office users by blocking XLL add-ins from the internet.

Cybercrime

A new study by McAfee and the Center for Strategic and International Studies (CSIS) named a staggering figure as the true annual cost of...

Cybercrime

A recently disclosed vBulletin vulnerability, which had a zero-day status for roughly two days last week, was exploited in a hacker attack targeting the...

Application Security

PayPal is alerting roughly 35,000 individuals that their accounts have been targeted in a credential stuffing campaign.