SYMBOLCOMMON_NAMEaka. SYNONYMS
win.tiger_rat (Back to overview)

Tiger RAT

Actor(s): Silent Chollima


This is third stage backdoor mentioned in the Kaspersky blog, "Andariel evolves to target South Korea with ransomware". The third stage payload was created via the second stage payload, is interactively executed in the operation and exists in both x64 and x86 versions. Most of them use Internet Explorer or Google Chrome icons and corresponding file names to disguise themselves as legitimate internet browsers. The malware decrypts the embedded payload at runtime. It uses an embedded 16-byte XOR key to decrypt the base64 encoded payload. The decrypted payload is another portable executable file that runs in memory. Before getting decrypted with a hardcoded XOR key, the backdoor also checks for sandbox environment.
The backdoor has some code overlap with a know malware family PEBBLEDASH, attributed to Lazarus/LABYRINTH CHOLLIMA.

References
2021-12-22ThreatrayMarkel Picado Ortiz
@techreport{ortiz:20211222:establishing:41e5885, author = {Markel Picado Ortiz}, title = {{Establishing the TigerRAT and TigerDownloader Malware Families}}, date = {2021-12-22}, institution = {Threatray}, url = {https://threatray.com/wp-content/uploads/2021/12/threatray-establishing-the-tigerrat-and-tigerdownloader-malware-families.pdf}, language = {English}, urldate = {2021-12-31} } Establishing the TigerRAT and TigerDownloader Malware Families
Tiger RAT
2021-12-03vmwareVMWare
@online{vmware:20211203:tigerrat:3388e2c, author = {VMWare}, title = {{TigerRAT – Advanced Adversaries on the Prowl}}, date = {2021-12-03}, organization = {vmware}, url = {https://blogs.vmware.com/security/2021/12/tigerrat-advanced-adversaries-on-the-prowl.html}, language = {English}, urldate = {2021-12-06} } TigerRAT – Advanced Adversaries on the Prowl
Tiger RAT
2021-09-02KrCertKrCERT
@techreport{krcert:20210902:ttps6:3198c89, author = {KrCERT}, title = {{TTPs#6 Targeted Watering Hole Attack Strategy Analysis (SILENT CHOLLIMA)}}, date = {2021-09-02}, institution = {KrCert}, url = {https://www.krcert.or.kr/filedownload.do?attach_file_seq=3277&attach_file_id=EpF3277.pdf}, language = {Korean}, urldate = {2021-09-09} } TTPs#6 Targeted Watering Hole Attack Strategy Analysis (SILENT CHOLLIMA)
Tiger RAT
2021-07-15BrightTALKMathieu Gaucheler, Ariel Jungheit, Kaspersky, Vicente Diaz
@online{gaucheler:20210715:visual:79b00a1, author = {Mathieu Gaucheler and Ariel Jungheit and Kaspersky and Vicente Diaz}, title = {{Visual investigations - Speed up your IR, Forensic Analysis and Hunting}}, date = {2021-07-15}, organization = {BrightTALK}, url = {https://www.brighttalk.com/webcast/18282/493986}, language = {English}, urldate = {2021-11-03} } Visual investigations - Speed up your IR, Forensic Analysis and Hunting
Tiger RAT
2021-06-15KasperskySeongsu Park
@online{park:20210615:andariel:1e000a0, author = {Seongsu Park}, title = {{Andariel evolves to target South Korea with ransomware}}, date = {2021-06-15}, organization = {Kaspersky}, url = {https://securelist.com/andariel-evolves-to-target-south-korea-with-ransomware/102811/}, language = {English}, urldate = {2021-11-03} } Andariel evolves to target South Korea with ransomware
BISTROMATH PEBBLEDASH Tiger RAT Unidentified 081 (Andariel Ransomware)
Yara Rules
[TLP:WHITE] win_tiger_rat_auto (20220516 | Detects win.tiger_rat.)
rule win_tiger_rat_auto {

    meta:
        author = "Felix Bilstein - yara-signator at cocacoding dot com"
        date = "2022-05-16"
        version = "1"
        description = "Detects win.tiger_rat."
        info = "autogenerated rule brought to you by yara-signator"
        tool = "yara-signator v0.6.0"
        signator_config = "callsandjumps;datarefs;binvalue"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.tiger_rat"
        malpedia_rule_date = "20220513"
        malpedia_hash = "7f4b2229e6ae614d86d74917f6d5b41890e62a26"
        malpedia_version = "20220516"
        malpedia_license = "CC BY-SA 4.0"
        malpedia_sharing = "TLP:WHITE"

    /* DISCLAIMER
     * The strings used in this rule have been automatically selected from the
     * disassembly of memory dumps and unpacked files, using YARA-Signator.
     * The code and documentation is published here:
     * https://github.com/fxb-cocacoding/yara-signator
     * As Malpedia is used as data source, please note that for a given
     * number of families, only single samples are documented.
     * This likely impacts the degree of generalization these rules will offer.
     * Take the described generation method also into consideration when you
     * apply the rules in your use cases and assign them confidence levels.
     */


    strings:
        $sequence_0 = { 41b880000000 440fb60c3a 41d3f8 4522c8 }
            // n = 4, score = 200
            //   41b880000000         | mov                 eax, 0x75
            //   440fb60c3a           | dec                 eax
            //   41d3f8               | mov                 dword ptr [esp + 0x20], eax
            //   4522c8               | mov                 edx, dword ptr [esi + 8]

        $sequence_1 = { 412bc2 83c008 4863c8 e8???????? 4c8bc7 488bd5 }
            // n = 6, score = 200
            //   412bc2               | test                al, al
            //   83c008               | inc                 ecx
            //   4863c8               | mov                 eax, 0x75
            //   e8????????           |                     
            //   4c8bc7               | dec                 eax
            //   488bd5               | mov                 dword ptr [esp + 0x20], eax

        $sequence_2 = { 41b875000000 4889442420 e8???????? 8b5608 }
            // n = 4, score = 200
            //   41b875000000         | dec                 eax
            //   4889442420           | lea                 esi, [esi + 1]
            //   e8????????           |                     
            //   8b5608               | dec                 esp

        $sequence_3 = { 33c0 4c8d45c0 4533e4 8d5020 448965c0 488945c4 488945cc }
            // n = 7, score = 200
            //   33c0                 | dec                 eax
            //   4c8d45c0             | mov                 ecx, dword ptr [esi + 0x10]
            //   4533e4               | inc                 ecx
            //   8d5020               | mov                 eax, 0x75
            //   448965c0             | dec                 eax
            //   488945c4             | mov                 dword ptr [esp + 0x20], eax
            //   488945cc             | mov                 edx, dword ptr [esi + 8]

        $sequence_4 = { 4863d0 4803d1 e8???????? 488b5c2438 }
            // n = 4, score = 200
            //   4863d0               | dec                 eax
            //   4803d1               | mov                 ecx, dword ptr [esi + 0x10]
            //   e8????????           |                     
            //   488b5c2438           | xor                 eax, eax

        $sequence_5 = { 41b876000000 4889442420 e8???????? 8bc3 }
            // n = 4, score = 200
            //   41b876000000         | jne                 0x1e
            //   4889442420           | inc                 ecx
            //   e8????????           |                     
            //   8bc3                 | mov                 eax, 0x73

        $sequence_6 = { 33c0 89442438 89442430 448bcf }
            // n = 4, score = 200
            //   33c0                 | dec                 eax
            //   89442438             | mov                 ecx, dword ptr [esi + 0x10]
            //   89442430             | xor                 eax, eax
            //   448bcf               | inc                 ecx

        $sequence_7 = { 41b873000000 4889442420 e8???????? 488bd7 488bce e8???????? }
            // n = 6, score = 200
            //   41b873000000         | xor                 ecx, ecx
            //   4889442420           | dec                 eax
            //   e8????????           |                     
            //   488bd7               | lea                 edx, [0xe588]
            //   488bce               | dec                 eax
            //   e8????????           |                     

        $sequence_8 = { 0f84ef000000 8b05???????? 418b5ef4 418b7e04 2305???????? 33c9 }
            // n = 6, score = 100
            //   0f84ef000000         | dec                 eax
            //   8b05????????         |                     
            //   418b5ef4             | inc                 ecx
            //   418b7e04             | jne                 9
            //   2305????????         |                     
            //   33c9                 | jmp                 0x19

        $sequence_9 = { 48894d58 33c0 48ffc1 7502 eb10 4883f9ff }
            // n = 6, score = 100
            //   48894d58             | lea                 esi, [esi + 1]
            //   33c0                 | dec                 eax
            //   48ffc1               | cmove               ecx, eax
            //   7502                 | dec                 ecx
            //   eb10                 | dec                 eax
            //   4883f9ff             | jne                 0xffffffec

        $sequence_10 = { 488d1588e50000 ff15???????? 4885c0 7404 }
            // n = 4, score = 100
            //   488d1588e50000       | dec                 eax
            //   ff15????????         |                     
            //   4885c0               | cmp                 ecx, -1
            //   7404                 | inc                 ecx

        $sequence_11 = { 44890d???????? 3016 4883f90f 488d7601 }
            // n = 4, score = 100
            //   44890d????????       |                     
            //   3016                 | mov                 eax, 0x7d0
            //   4883f90f             | mov                 dword ptr [ebp - 9], 0x7b020840
            //   488d7601             | dec                 eax

        $sequence_12 = { 488bcf 48c1f905 83e21f 4c8d05fc690100 498b0cc8 }
            // n = 5, score = 100
            //   488bcf               | dec                 eax
            //   48c1f905             | mov                 ecx, edi
            //   83e21f               | dec                 eax
            //   4c8d05fc690100       | sar                 ecx, 5
            //   498b0cc8             | and                 edx, 0x1f

        $sequence_13 = { 41b8d0070000 c745f74008027b 890d???????? 488bce 488bf8 c745fb0f46210d c745ff502c5e00 }
            // n = 7, score = 100
            //   41b8d0070000         | mov                 eax, ebx
            //   c745f74008027b       | dec                 eax
            //   890d????????         |                     
            //   488bce               | mov                 ebx, dword ptr [esp + 0x40]
            //   488bf8               | dec                 eax
            //   c745fb0f46210d       | mov                 dword ptr [ebp + 0x58], ecx
            //   c745ff502c5e00       | xor                 eax, eax

        $sequence_14 = { 4c8bf3 ff15???????? c705????????4b000000 488be8 4885c0 7513 }
            // n = 6, score = 100
            //   4c8bf3               | mov                 ecx, esi
            //   ff15????????         |                     
            //   c705????????4b000000     |     
            //   488be8               | dec                 eax
            //   4885c0               | mov                 edi, eax
            //   7513                 | mov                 dword ptr [ebp - 5], 0xd21460f

        $sequence_15 = { 4883f90f 488d7601 480f44c8 49ffc8 75df 8bc3 488b5c2440 }
            // n = 7, score = 100
            //   4883f90f             | dec                 esp
            //   488d7601             | lea                 eax, [0x169fc]
            //   480f44c8             | dec                 ecx
            //   49ffc8               | mov                 ecx, dword ptr [eax + ecx*8]
            //   75df                 | dec                 eax
            //   8bc3                 | cmp                 ecx, 0xf
            //   488b5c2440           | dec                 eax

    condition:
        7 of them and filesize < 557056
}
Download all Yara Rules