Story image

New malware spotted in Asia reminiscent of Iron Tiger APT

02 Feb 2018

The Iron Tiger Advanced Persistent Threat (APT) caused havoc across Asia in 2010 and quickly moved to the United States in 2013. Seven years later, elements of the threat have been discovered again in a custom-built piece of malware that is again going after Asia.

A new white paper from Bitdefender says that it has been monitoring the custom malware since July 2017 in an initiative called Operation PZCHAO. The malware contains variants of a Gh0st Remote Access Trojan (RAT) that was used as part of the Iron Tiger APT operation.

The new malware includes custom subdomains built for different tasks (downloads, uploads, malware DLL delivery and RAT-related actions).

According to the white paper, the distribution of highly-targeted spam messages with malicious attached VBS files has been narrowed down to an IP address in South Korea.

When researchers found malware samples that have also been used in various regions of Asia, they tracked it down to a payload written in Chinese.

There are a number of other payloads attached to the malware. One is a Bitcoin miner that is able to kill any other mining programs that masquerades as a fake application set as a service.

It also includes the Mimikatz password stealer; and the Gh0st RAT designed as a backdoor implant.

“Its behavior is very similar to the versions detected in attacks associated with the Iron Tiger APT group. This executable represents the “dropper” - a Windows application that contains all the code required to prepare a compromised host for installation of the Gh0st RAT server service. The binary that is decrypted and dropped on the system is the same as the one that communicates with the attacker’s endpoint (also known as the RAT client or the C2 controller) on startup and awaits further instructions,” the white paper says.

The Gh0st RAT is able to capture keystrokes, webcam feeds and voice monitoring. It is also able to control session management, remote file downloads, act as a file manager and a remote terminal.

“Even though the tools used in this particular attack are a few years old, they are battle-tested and more than suitable for future attacks. The ability to download most of these for free on certain underground hacking forums decreases the cost of attack without compromising on stealth or effectiveness. Usually, threat actors are constantly modifying these tools to make them suitable for their targets they have in their crosshairs: governments or strategic institutions such as education, telecommunications and so on”.

Privacy: The real cost of “free” mobile apps
Sales of location targeted advertising, based on location data provided by apps, is set to reach $30 billion by 2020.
Myth-busting assumptions about identity governance - SailPoint
The identity governance space has evolved and matured over the past 10 years, changing with the world around it.
Forrester names Crowdstrike leader in incident response
The report provides an in-depth evaluation of the top 15 IR service providers across 11 criteria.
Slack doubles down on enterprise key management
EKM adds an extra layer of protection so customers can share conversations, files, and data while still meeting their own risk mitigation requirements.
Security professionals want to return fire – Venafi
Seventy-two percent of professionals surveyed believe nation-states have the right to ‘hack back’ cybercriminals.
Alcatraz AI to replace corporate badges with AI security
The Palo Alto-based startup supposedly leverages facial recognition, 3D sensing, and machine learning to enable secure access control.
Ensign and IronNet partner to create cyber analytics capabilities
The Singapore-based joint venture will form a Cyber Analytics Center for Excellence focused on securing regional enterprises from sophisticated cyber threats.
Unencrypted Gearbest database leaves over 1.5mil shoppers’ records exposed
Depending on the countries and information requirements, the data could give hackers access to online government portals, banking apps, and health insurance records.