A threat group operating out of China continues its damage using older exploits, FireEye researchers said.
A threat group operating out of China continues its damage using older exploits, FireEye researchers said.

A group of attackers known as PittyTiger that use social engineering to deliver spearphishing emails in numerous languages to their targets are likely operating out of China, according to researchers at FireEye.

Citing a report titled “Eye of the Tiger” — and released by Airbus Defence and Space — that details the attacks and actions of the group since 2011 (PittyTiger may have begun operations in 2008), FireEye said in a blog post that the group uses various malware and tools to “maintain command and control (C2) and move laterally through their targets' networks.”

Nart Villeneuve, senior threat intelligence researcher and co-author of the blog post (along with Joshua Homan), confirmed to SCMagazine.com in an email correspondence that “the attacks conducted by this group are consistent with the TTPs associated with threat actors operating from China.”  

The group recently launched an attack against a French company, using free mail addresses under the names of actual company employees to send “simple, straightforward messages” in French and English. 

FireEye has observed the attackers using a Yahoo! email phishing pages kit that boasts phishing pages in different languages and aimed at multiple regions.

“Although this group has been active for quite a long time, they appear to be rather specific about their targets unlike some other noisier attackers,” said Villeneuve.

To carry out their attacks, the group exploits CVE-2012-0158 and CVE-2014-1761 vulnerabilities in Microsoft Office. According to FireEye, the tool that created documents exploiting CVE-2012-0158 leaves behind metadata, which points to the author being “Tran Duy Linh,” a known builder shared by numerous unrelated threat groups. 

CVE-2014-1761's builder tool is murkier but the documents created by the exploit “contain metadata that matches malicious documents created by both the Jdoc builder and the Metasploit Framework,” the FireEye blog noted.

The malicious documents are used to drop first-stage malware called Backdoor.APT.Pgift  (aka Troj/ReRol.A), which the FireEye blog noted was, recently used in an attack against a target in Taiwan. 

It then connects back to a C2 server and although it communicates some information about the compromised computer, it primarily is used to deliver the second-stage malware to that computer. The group also uses a builder, used to create and test the files put on the C2 server, in conjunction with the backdoor malware.

Saying that PittyTiger “will likely continue” their attacks, Villeneuve noted that it “has acquired a diverse set of malware tools.”

Among the other malware used by the group are Backdoor.APT.PittyTiger, Backdoor.APT.Lurid and Poison Ivy. After analyzing samples of the latter, which was used during 2008-2009, FireEye found connections to domain names used by the PittyTiger group.  

“While the attackers have access to a wide variety of malware, including both widely available as well as custom tools that only this group appear to have access to, they continue to use older exploits,” said Villeneuve. 

He cautioned organizations to be vigilant in keeping software up-to-date since “the attackers are using old exploits for which there are already patches available.”