Story image

New malware spotted in Asia reminiscent of Iron Tiger APT

02 Feb 18

The Iron Tiger Advanced Persistent Threat (APT) caused havoc across Asia in 2010 and quickly moved to the United States in 2013. Seven years later, elements of the threat have been discovered again in a custom-built piece of malware that is again going after Asia.

A new white paper from Bitdefender says that it has been monitoring the custom malware since July 2017 in an initiative called Operation PZCHAO. The malware contains variants of a Gh0st Remote Access Trojan (RAT) that was used as part of the Iron Tiger APT operation.

The new malware includes custom subdomains built for different tasks (downloads, uploads, malware DLL delivery and RAT-related actions).

According to the white paper, the distribution of highly-targeted spam messages with malicious attached VBS files has been narrowed down to an IP address in South Korea.

When researchers found malware samples that have also been used in various regions of Asia, they tracked it down to a payload written in Chinese.

There are a number of other payloads attached to the malware. One is a Bitcoin miner that is able to kill any other mining programs that masquerades as a fake application set as a service.

It also includes the Mimikatz password stealer; and the Gh0st RAT designed as a backdoor implant.

“Its behavior is very similar to the versions detected in attacks associated with the Iron Tiger APT group. This executable represents the “dropper” - a Windows application that contains all the code required to prepare a compromised host for installation of the Gh0st RAT server service. The binary that is decrypted and dropped on the system is the same as the one that communicates with the attacker’s endpoint (also known as the RAT client or the C2 controller) on startup and awaits further instructions,” the white paper says.

The Gh0st RAT is able to capture keystrokes, webcam feeds and voice monitoring. It is also able to control session management, remote file downloads, act as a file manager and a remote terminal.

“Even though the tools used in this particular attack are a few years old, they are battle-tested and more than suitable for future attacks. The ability to download most of these for free on certain underground hacking forums decreases the cost of attack without compromising on stealth or effectiveness. Usually, threat actors are constantly modifying these tools to make them suitable for their targets they have in their crosshairs: governments or strategic institutions such as education, telecommunications and so on”.

Oracle Java Card update boosts security for IoT devices
"Java Card 3.1 is very significant to the Internet of Things, bringing interoperability, security and flexibility to a fast-growing market currently lacking high-security and flexible edge security solutions."
Sophos hires ex-McAfee SVP Gavin Struther
After 16 years as the APAC senior vice president and president for McAfee, Struthers is now heading the APJ arm of Sophos.
Half of companies unable to detect IoT device breaches
A Gemalto study also shows that the of blockchain technology to help secure IoT data, services and devices has doubled in a year.
Huawei founder publically denies spying allegations
“After all the evidence is made public, we will rely on the justice system.”
Malware downloader on the rise in Check Point’s latest Threat Index
Organisations continue to be targeted by cryptominers, despite an overall drop in value across all cryptocurrencies in 2018.
IoT breaches: Nearly half of businesses still can’t detect them
The Internet of Thing’s (IoT’s) rapid rise to prominence may have compromised its security, if a new report from Gemalto is anything to go by.
Carbon Black: What does cybersecurity have in store for 2019?
Tom Kellerman has shared five insights for the year ahead, including a particularly bold one.
Hands-on review: The Ekster Wallet protects your cards against RFID attacks
For some time now, I’ve been protecting my credit cards with tinfoil. The tinfoil hat does attract a lot of comments, but thanks to Ekster, those days are now happily behind me.