New malware spotted in Asia reminiscent of Iron Tiger APT

02 Feb 18

The Iron Tiger Advanced Persistent Threat (APT) caused havoc across Asia in 2010 and quickly moved to the United States in 2013. Seven years later, elements of the threat have been discovered again in a custom-built piece of malware that is again going after Asia.

A new white paper from Bitdefender says that it has been monitoring the custom malware since July 2017 in an initiative called Operation PZCHAO. The malware contains variants of a Gh0st Remote Access Trojan (RAT) that was used as part of the Iron Tiger APT operation.

The new malware includes custom subdomains built for different tasks (downloads, uploads, malware DLL delivery and RAT-related actions).

According to the white paper, the distribution of highly-targeted spam messages with malicious attached VBS files has been narrowed down to an IP address in South Korea.

When researchers found malware samples that have also been used in various regions of Asia, they tracked it down to a payload written in Chinese.

There are a number of other payloads attached to the malware. One is a Bitcoin miner that is able to kill any other mining programs that masquerades as a fake application set as a service.

It also includes the Mimikatz password stealer; and the Gh0st RAT designed as a backdoor implant.

“Its behavior is very similar to the versions detected in attacks associated with the Iron Tiger APT group. This executable represents the “dropper” - a Windows application that contains all the code required to prepare a compromised host for installation of the Gh0st RAT server service. The binary that is decrypted and dropped on the system is the same as the one that communicates with the attacker’s endpoint (also known as the RAT client or the C2 controller) on startup and awaits further instructions,” the white paper says.

The Gh0st RAT is able to capture keystrokes, webcam feeds and voice monitoring. It is also able to control session management, remote file downloads, act as a file manager and a remote terminal.

“Even though the tools used in this particular attack are a few years old, they are battle-tested and more than suitable for future attacks. The ability to download most of these for free on certain underground hacking forums decreases the cost of attack without compromising on stealth or effectiveness. Usually, threat actors are constantly modifying these tools to make them suitable for their targets they have in their crosshairs: governments or strategic institutions such as education, telecommunications and so on”.

Share on: LinkedIn Twitter Facebook