Malware of the Day – PittyTiger
What is Malware of the Day?
Lab Setup
Malware: PittyTiger
AKA: PittyTiger RAT, one of the RATs used by the Pitty Tiger group.
Traffic Type: APT
Connection Type: Reverse HTTP
C2 Platform: Cobalt Strike
Origin of Sample: https://github.com/rsmudge/Malleable-C2-Profiles/blob/master/APT/pitty_tiger.profile
Host Payload Delivery Method: Powershell one-liner
Target Host/Victim: 192.168.99.54 – Windows 10 x64
C2 Server: 159.65.220.246 – Ubuntu 18.04.3 (LTS) x64
Beacon Timing: 30s
Jitter: 20%
Brief
Our focus is on identifying and detecting network beaconing behavior. We are using AI-Hunter/RITA as our network threat and C2/beacon detection platform to visualize the network traffic generated from running the PittyTiger malware replication. We encourage you to download and use the PCAP files included below to analyze these files independently using your preferred threat hunt platform to test your detection capabilities.
The above screenshot is taken of the AI-Hunter Beacons module from a 24-hour traffic capture. The PittyTiger traffic has been detected as a very strong beacon signal of 98.80%.
In the green highlighted box is the beacon timing showing the number of connections of each interval of time in seconds. Here we can see the tight cluster of communications from 30 second intervals down to 24 second intervals. Viewing the traffic in a graph like this, we can easily see the jitter that has been introduced into the timing of a deviation of 20%. This jitter could be just enough to spoof some detection tools that are looking for very rigid timing patterns. These consistent connection timings and graph view cluster, even with some jitter, are evidence of programmed machine communications.
In the red highlighted box are the number of connections per hour (each blue block is a one-hour time frame). The consistency of the number of connections per hour is a tell-tale indicator of non-human behavior. Normal users’ traffic should be much more random in nature and would display greater peaks and valleys in the graph over time.
Switching to the connections Data Size view (shown in the green highlighted box above), we can see immediately the majority of communications are the same data size. For this sample, we have 8256 connections with 628 byte payloads. This is clearly uniform communications, such as a C2 channel “heartbeat” of checking in for marching orders or to maintain persistence. Normal users’ network communications will vary greatly in data size. This is confirming these are programmed communications to be investigated.
The same beacon analysis can be performed using our open-source framework, RITA (get RITA, it’s free!). RITA detected the PittyTiger sample traffic as a strong threat, giving it a score of 0.988 (98.8% beacon probability). The network RITA is analyzing in the screenshot above is our malware lab and you can see the PittyTiger sample is currently listed #2, only bested by another malware sample that’s beaconing every second.
Capture Files
Because… PCAPs, or it didn’t happen. 😊
The following PCAP files are packet captures taken from our lab environment over a one-hour time frame and a 24-hour time frame. The files were generated using Wireshark from the target host and include normal Windows OS traffic and normal network broadcast traffic. They have not been edited. The PCAPs are safe, standard PCAP files and do not include any actual malware.
PittyTiger 1 Hour Capture
pitty_tiger_1hr.pcap (served by Dropbox)
Size: 1.03 MB
MD5 Checksum: 80ff0d88c4ed2c835dd581c1f1fa5ec6
PittyTiger 24 Hour Capture
pitty_tiger_24hr.pcap (served by Dropbox)
Size: 50.6 MB
MD5 Checksum: 6b7692e5064034109187e58e8a013115
Discussion
Want to talk about this or anything else concerning threat hunting? Want to share how good (or bad) other detection tools were able to detect this PittyTiger sample? We would love to hear how this malware traffic sample fares in other detection tools!
We have a Discord server titled “Threat Hunter Community” to discuss all topics surrounding threat hunting. We invite you to join our server here.
Additional Resources
https://airbus-cyber-security.com/the-eye-of-the-tiger/
https://www.bankinfosecurity.com/airbus-hacked-aircraft-giant-discloses-data-breach-a-11985
Until the next!
Keith’s appreciation for computing and processes originates from working with his first personal computer in 1982, a TI-99/4A. Keith sees himself as fortunate for the opportunity to apply his passion towards a career that assists in the advance of technology and continuing education.