Story image

New malware spotted in Asia reminiscent of Iron Tiger APT

02 Feb 18

The Iron Tiger Advanced Persistent Threat (APT) caused havoc across Asia in 2010 and quickly moved to the United States in 2013. Seven years later, elements of the threat have been discovered again in a custom-built piece of malware that is again going after Asia.

A new white paper from Bitdefender says that it has been monitoring the custom malware since July 2017 in an initiative called Operation PZCHAO. The malware contains variants of a Gh0st Remote Access Trojan (RAT) that was used as part of the Iron Tiger APT operation.

The new malware includes custom subdomains built for different tasks (downloads, uploads, malware DLL delivery and RAT-related actions).

According to the white paper, the distribution of highly-targeted spam messages with malicious attached VBS files has been narrowed down to an IP address in South Korea.

When researchers found malware samples that have also been used in various regions of Asia, they tracked it down to a payload written in Chinese.

There are a number of other payloads attached to the malware. One is a Bitcoin miner that is able to kill any other mining programs that masquerades as a fake application set as a service.

It also includes the Mimikatz password stealer; and the Gh0st RAT designed as a backdoor implant.

“Its behavior is very similar to the versions detected in attacks associated with the Iron Tiger APT group. This executable represents the “dropper” - a Windows application that contains all the code required to prepare a compromised host for installation of the Gh0st RAT server service. The binary that is decrypted and dropped on the system is the same as the one that communicates with the attacker’s endpoint (also known as the RAT client or the C2 controller) on startup and awaits further instructions,” the white paper says.

The Gh0st RAT is able to capture keystrokes, webcam feeds and voice monitoring. It is also able to control session management, remote file downloads, act as a file manager and a remote terminal.

“Even though the tools used in this particular attack are a few years old, they are battle-tested and more than suitable for future attacks. The ability to download most of these for free on certain underground hacking forums decreases the cost of attack without compromising on stealth or effectiveness. Usually, threat actors are constantly modifying these tools to make them suitable for their targets they have in their crosshairs: governments or strategic institutions such as education, telecommunications and so on”.

Cisco expands security capabilities of SD­-WAN portfolio
Until now, SD-­WAN solutions have forced IT to choose between application experience or security.
AlgoSec delivers native security management for Azure Firewall
AlgoSec’s new solution will allow a central management capability for Azure Firewall, Microsoft's new cloud-native firewall-as-a-service.
How to configure your firewall for maximum effectiveness
ManageEngine offers some firewall best practices that can help security admins handle the conundrum of speed vs security.
Exclusive: Why botnets will swarm IoT devices
“What if these nodes were able to make autonomous decisions with minimal supervision, use their collective intelligence to solve problems?”
Why you should leverage a next-gen firewall platform
Through full lifecycle-based threat detection and prevention, organisations are able to manage the entire threat lifecycle without adding additional solutions.
The quid pro quo in the IoT age
Consumer consciousness around data privacy, security and stewardship has increased tenfold in recent years, forcing businesses to make customer privacy a business imperative.
ForeScout acquires OT security company SecurityMatters for US$113mil
Recent cyberattacks, such as WannaCry, NotPetya and Triton, demonstrated how vulnerable OT networks can result in significant business disruption and financial loss.
Exclusive: Fileless malware driving uptake of behavioural analytics
Fileless malware often finds its way into organisations via web browsers (or in combination with other vectors such as infected USB drives).