Story image

New malware spotted in Asia reminiscent of Iron Tiger APT

02 Feb 2018

The Iron Tiger Advanced Persistent Threat (APT) caused havoc across Asia in 2010 and quickly moved to the United States in 2013. Seven years later, elements of the threat have been discovered again in a custom-built piece of malware that is again going after Asia.

A new white paper from Bitdefender says that it has been monitoring the custom malware since July 2017 in an initiative called Operation PZCHAO. The malware contains variants of a Gh0st Remote Access Trojan (RAT) that was used as part of the Iron Tiger APT operation.

The new malware includes custom subdomains built for different tasks (downloads, uploads, malware DLL delivery and RAT-related actions).

According to the white paper, the distribution of highly-targeted spam messages with malicious attached VBS files has been narrowed down to an IP address in South Korea.

When researchers found malware samples that have also been used in various regions of Asia, they tracked it down to a payload written in Chinese.

There are a number of other payloads attached to the malware. One is a Bitcoin miner that is able to kill any other mining programs that masquerades as a fake application set as a service.

It also includes the Mimikatz password stealer; and the Gh0st RAT designed as a backdoor implant.

“Its behavior is very similar to the versions detected in attacks associated with the Iron Tiger APT group. This executable represents the “dropper” - a Windows application that contains all the code required to prepare a compromised host for installation of the Gh0st RAT server service. The binary that is decrypted and dropped on the system is the same as the one that communicates with the attacker’s endpoint (also known as the RAT client or the C2 controller) on startup and awaits further instructions,” the white paper says.

The Gh0st RAT is able to capture keystrokes, webcam feeds and voice monitoring. It is also able to control session management, remote file downloads, act as a file manager and a remote terminal.

“Even though the tools used in this particular attack are a few years old, they are battle-tested and more than suitable for future attacks. The ability to download most of these for free on certain underground hacking forums decreases the cost of attack without compromising on stealth or effectiveness. Usually, threat actors are constantly modifying these tools to make them suitable for their targets they have in their crosshairs: governments or strategic institutions such as education, telecommunications and so on”.

Oracle updates enterprise blockchain platform
Oracle’s enterprise blockchain has been updated to include more capabilities to enhance development, integration, and deployment of customers’ new blockchain applications.
Used device market held back by lack of data security regulations
Mobile device users are sceptical about trading in their old device because they are concerned that data on those devices may be accessed or compromised after they hand it over.
Gartner names ExtraHop leader in network performance monitoring
ExtraHop provides enterprise cyber analytics that deliver security and performance from the inside out.
Symantec acquires zero trust innovator Luminate Security
Luminate’s Secure Access Cloud is supposedly natively constructed for a cloud-oriented, perimeter-less world.
Palo Alto releases new, feature-rich firewall
Palo Alto is calling it the ‘fastest-ever next-generation firewall’ with integrated cloud-based DNS Security service to stop attacks.
The right to be forgotten online could soon be forgotten
Despite bolstering free speech and access to information, the internet can be a double-edged sword, because that access to information goes both ways.
Opinion: 4 Ransomware trends to watch in 2019
Recorded Future's Allan Liska looks at the past big ransomware attacks thus far to predict what's coming this year.
Red Box gains compliance boost with new partnership
By partnering with Global Relay, voice platform provider Red Box is improving the security of its offerings for high-value and risk voice data.