Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Cybercrime

“Pitty Tiger” Threat Actors Possibly Active Since 2008: FireEye

Researchers at FireEye have analyzed the operations of the advanced persistent threat (APT) group dubbed “Pitty Tiger,” and determined that it might have been active since as far back as 2008.

Researchers at FireEye have analyzed the operations of the advanced persistent threat (APT) group dubbed “Pitty Tiger,” and determined that it might have been active since as far back as 2008.

The activities of the Pitty Tiger (PDF) group were first brought to light in mid-July by the cybersecurity unit at Airbus Defense & Space. Airbus researchers determined that the attackers, which are believed to be operating from China, have been active since at least 2011, but FireEye has found evidence to suggest that they’ve been targeting organizations for much longer.

Tiger Eye MalwareAccording to the security firm, the threat group uses a combination of spear phishing emails, social engineering, email phishing pages, malware and other tools to accomplish their goals. The spear phishing emails analyzed by FireEye have been written in French, English and Chinese.

In a recent attack against a French company, the attackers sent out emails written in English and French that appeared to come from someone within the targeted organization. The malicious messages carried harmless-looking Microsoft Word documents that were set up to drop a first-stage payload, Backdoor.APT.Pgift (Troj/ReRol.A), by exploiting both old (CVE-2012-0158) and new (CVE-2014-1761) vulnerabilities affecting the Microsoft Office suite.

Once it infects a computer, the Trojan sends some information on the compromised device back to its command and control (C&C) server, after which it downloads the second-stage malware.

This wasn’t the first time researchers identified an attack using Backdoor.APT.Pgift. The same threat was spotted at the beginning of 2014 in a campaign targeted at an organization in Taiwan. This, coupled with the fact that many of the C&C servers used by the cybercriminals are hosted on .tw domains, indicates that the attackers are interested in Taiwan as well, FireEye said.

The threat group has been using several pieces of malware over the past years. Based on samples that connected to the domain names used in their operations, the security firm believes the attackers relied on the notorious PoisonIvy during 2008 and 2009.

Backdoor.APT.PittyTiger1.3 (CT RAT) has also been used, most likely as a second-stage malware since it provides attackers with a remote shell on the compromised system. Backdoor.APT.PittyTiger is a piece of malware leveraged by the group in 2012 and 2013. The threat is capable of capturing screenshots, uploading and downloading files, and providing a remote shell. Backdoor.APT.Lurid, and variants of Gh0st RAT, including Paladin RAT and Leo RAT, have also been used by the Pitty Tiger group, FireEye reported on Thursday.

The company has also confirmed Airbus’ findings regarding the APT group’s use of zero-day exploits.

Advertisement. Scroll to continue reading.

“We have not observed these attackers using 0day exploits; rather, they appear to acquire access to builders that are more widely distributed that can be used to create malicious documents,” Nart Villeneuve and Joshua Homan noted in a blog post.

Written By

Eduard Kovacs (@EduardKovacs) is a managing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Discover strategies for vendor selection, integration to minimize redundancies, and maximizing ROI from your cybersecurity investments. Gain actionable insights to ensure your stack is ready for tomorrow’s challenges.

Register

Dive into critical topics such as incident response, threat intelligence, and attack surface management. Learn how to align cyber resilience plans with business objectives to reduce potential impacts and secure your organization in an ever-evolving threat landscape.

Register

People on the Move

The US arm of networking giant TP-Link has appointed Adam Robertson as Director of Information and Security.

Cyber exposure management firm Armis has promoted Alex Mosher to President.

Software giant Atlassian has named David Cross as its new CISO.

More People On The Move

Expert Insights

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest cybersecurity news, threats, and expert insights. Unsubscribe at any time.