Pitty Tiger – small ATPs scare private companies

Security researchers at AIRBUS have uncovered a new APT, named Pitty Tiger, involved in a cyber espionage campaign which targeted mainly private companies.

Security experts at AIRBUS Defence & Space – CyberSecurity unit have recently disclosed the results of their investigation on a new APT dubbed Pitty Tiger involved in a cyber espionage campaign which targeted mainly private companies.

Also in this case the cyber espionage campaign has gone undetected for years, this is a common aspect of many cyber operations, the Pitty Tiger group has been active since at least 2011.

The APT targeted private companies in many sectors, from telco to defense, and also at least one government.

Experts at AIRBUS Defence & Spaces discovered that Pitty Tiger group has used for the attacks many different malware from their arsenal, some of them developed by the Pitty Tiger group for its exclusive usage, but they haven’t exploited any 0-day vulnerability.

“The Pitty Tiger group mostly uses spear phishing in order to gain an initial foothold within the targeted environment. The group exploits known vulnerabilities in Microsoft Office products to infect their targets with malware. Pitty Tiger group is sometimes using stolen material as spear phishing content to target other persons. They have also been seen using HeartBleed vulnerability in order to directly get valid credentials.” reports the blog post published by AIRBUS.

The malicious codes used by the hacking team are:

• PittyTiger
• Troj/ReRol.A
• CT RAT
• MM RAT (aka Troj/Goldsun-B)
• Paladin RAT (a variant of Gh0st RAT)

Researchers sustain that the Pitty Tiger group has the ability to stay under the radar, but that is not considerable mature as other ATP monitored by the AIRBUS Defence & Spaces team, for this reason the experts don’t believe that Pitty Tiger is a state-sponsored group of attackers.

The analysts consider the team of hackers as an opportunistic collective that sells its services to probable competitors of their targets in the private sector. This is very worrying in my opinion because it is the demonstration that also minor bad actors could cause a serious problem to every company and the circumstance confirms the trend observed in the recent years in the growth of the offer of hacking-as-a-service.

The investigation demonstrates that the Pitty Tiger group is a small team compared to other APT groups and also the number of targeted entities is limited, but anyway it represents a serious threat.

Who is exactly behind an APT campaign?

It is very difficult to understand it, but the analysis of the following indicators seems to confirm the Chinese origin of the Pitty Tiger team:

• Several Chinese vulnerability scanners have been launched against targets;
• Several Chinese tools have been used and found on the c&c servers of the attackers: 8uFTP, a Chinese version of calc.exe, etc.;
• Two of the used RATs have been developed by the same developers: CT RAT and PittyTiger RAT. The controllers for these RATs show Chinese language;
• Several binaries used by the attackers show either “Chinese – China” or “Chinese-Taiwan” language ID in their resources;
• A decoy Word document has been found, written in Chinese language;
• The IP addresses used for the hosting of the c&c domains are mainly located in Taipei (Taïwan) and Hong Kong City (Hong Kong Special Administrative Region, PRC):

The report also provides indicators of compromise which could be used by security expert in threat intelligence processes and for the identification of further operations of the Pitty Tiger team.

Pierluigi Paganini

Security Affairs –  (cyber espionage, Pitty Tiger)