SYMBOLCOMMON_NAMEaka. SYNONYMS
win.tiger_rat (Back to overview)

Tiger RAT

Actor(s): Silent Chollima


This is third stage backdoor mentioned in the Kaspersky blog, "Andariel evolves to target South Korea with ransomware". The third stage payload was created via the second stage payload, is interactively executed in the operation and exists in both x64 and x86 versions. Most of them use Internet Explorer or Google Chrome icons and corresponding file names to disguise themselves as legitimate internet browsers. The malware decrypts the embedded payload at runtime. It uses an embedded 16-byte XOR key to decrypt the base64 encoded payload. The decrypted payload is another portable executable file that runs in memory. Before getting decrypted with a hardcoded XOR key, the backdoor also checks for sandbox environment.
The backdoor has some code overlap with a know malware family PEBBLEDASH, attributed to Lazarus/LABYRINTH CHOLLIMA.

References
2022-09-07Cisco TalosJung soo An, Asheer Malhotra, Vitor Ventura
@online{an:20220907:magicrat:efb6a3d, author = {Jung soo An and Asheer Malhotra and Vitor Ventura}, title = {{MagicRAT: Lazarus’ latest gateway into victim networks}}, date = {2022-09-07}, organization = {Cisco Talos}, url = {https://blog.talosintelligence.com/2022/09/lazarus-magicrat.html}, language = {English}, urldate = {2022-09-16} } MagicRAT: Lazarus’ latest gateway into victim networks
MagicRAT Tiger RAT
2021-12-22ThreatrayMarkel Picado Ortiz
@techreport{ortiz:20211222:establishing:41e5885, author = {Markel Picado Ortiz}, title = {{Establishing the TigerRAT and TigerDownloader Malware Families}}, date = {2021-12-22}, institution = {Threatray}, url = {https://threatray.com/wp-content/uploads/2021/12/threatray-establishing-the-tigerrat-and-tigerdownloader-malware-families.pdf}, language = {English}, urldate = {2021-12-31} } Establishing the TigerRAT and TigerDownloader Malware Families
Tiger RAT
2021-12-03vmwareVMWare
@online{vmware:20211203:tigerrat:3388e2c, author = {VMWare}, title = {{TigerRAT – Advanced Adversaries on the Prowl}}, date = {2021-12-03}, organization = {vmware}, url = {https://blogs.vmware.com/security/2021/12/tigerrat-advanced-adversaries-on-the-prowl.html}, language = {English}, urldate = {2021-12-06} } TigerRAT – Advanced Adversaries on the Prowl
Tiger RAT
2021-09-02KrCertKrCERT
@techreport{krcert:20210902:ttps6:3198c89, author = {KrCERT}, title = {{TTPs#6 Targeted Watering Hole Attack Strategy Analysis (SILENT CHOLLIMA)}}, date = {2021-09-02}, institution = {KrCert}, url = {https://www.krcert.or.kr/filedownload.do?attach_file_seq=3277&attach_file_id=EpF3277.pdf}, language = {Korean}, urldate = {2021-09-09} } TTPs#6 Targeted Watering Hole Attack Strategy Analysis (SILENT CHOLLIMA)
Tiger RAT
2021-07-15BrightTALKMathieu Gaucheler, Ariel Jungheit, Kaspersky, Vicente Diaz
@online{gaucheler:20210715:visual:79b00a1, author = {Mathieu Gaucheler and Ariel Jungheit and Kaspersky and Vicente Diaz}, title = {{Visual investigations - Speed up your IR, Forensic Analysis and Hunting}}, date = {2021-07-15}, organization = {BrightTALK}, url = {https://www.brighttalk.com/webcast/18282/493986}, language = {English}, urldate = {2021-11-03} } Visual investigations - Speed up your IR, Forensic Analysis and Hunting
Tiger RAT
2021-06-15KasperskySeongsu Park
@online{park:20210615:andariel:1e000a0, author = {Seongsu Park}, title = {{Andariel evolves to target South Korea with ransomware}}, date = {2021-06-15}, organization = {Kaspersky}, url = {https://securelist.com/andariel-evolves-to-target-south-korea-with-ransomware/102811/}, language = {English}, urldate = {2021-11-03} } Andariel evolves to target South Korea with ransomware
BISTROMATH PEBBLEDASH Tiger RAT Unidentified 081 (Andariel Ransomware)
Yara Rules
[TLP:WHITE] win_tiger_rat_auto (20220808 | Detects win.tiger_rat.)
rule win_tiger_rat_auto {

    meta:
        author = "Felix Bilstein - yara-signator at cocacoding dot com"
        date = "2022-08-05"
        version = "1"
        description = "Detects win.tiger_rat."
        info = "autogenerated rule brought to you by yara-signator"
        tool = "yara-signator v0.6.0"
        signator_config = "callsandjumps;datarefs;binvalue"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.tiger_rat"
        malpedia_rule_date = "20220805"
        malpedia_hash = "6ec06c64bcfdbeda64eff021c766b4ce34542b71"
        malpedia_version = "20220808"
        malpedia_license = "CC BY-SA 4.0"
        malpedia_sharing = "TLP:WHITE"

    /* DISCLAIMER
     * The strings used in this rule have been automatically selected from the
     * disassembly of memory dumps and unpacked files, using YARA-Signator.
     * The code and documentation is published here:
     * https://github.com/fxb-cocacoding/yara-signator
     * As Malpedia is used as data source, please note that for a given
     * number of families, only single samples are documented.
     * This likely impacts the degree of generalization these rules will offer.
     * Take the described generation method also into consideration when you
     * apply the rules in your use cases and assign them confidence levels.
     */


    strings:
        $sequence_0 = { 4863d0 898318010000 440fb6441a18 4103c8 }
            // n = 4, score = 200
            //   4863d0               | add                 ebx, ecx
            //   898318010000         | dec                 eax
            //   440fb6441a18         | sub                 edi, ebx
            //   4103c8               | dec                 ecx

        $sequence_1 = { 41b880000000 e8???????? 8d4641 488d4c2440 }
            // n = 4, score = 200
            //   41b880000000         | dec                 ecx
            //   e8????????           |                     
            //   8d4641               | add                 edx, edx
            //   488d4c2440           | inc                 edx

        $sequence_2 = { 41b880000000 83f81c 7f20 ffc8 }
            // n = 4, score = 200
            //   41b880000000         | inc                 ecx
            //   83f81c               | inc                 ebx
            //   7f20                 | inc                 ecx
            //   ffc8                 | mov                 eax, 0x80

        $sequence_3 = { 41b880000000 440fb60c3a 41d3f8 4522c8 41d2e1 410fb6cb }
            // n = 6, score = 200
            //   41b880000000         | inc                 esp
            //   440fb60c3a           | movzx               eax, byte ptr [edx + ebx + 0x18]
            //   41d3f8               | inc                 ecx
            //   4522c8               | add                 ecx, eax
            //   41d2e1               | inc                 ebp
            //   410fb6cb             | mov                 ebx, eax

        $sequence_4 = { 4863d0 898320020000 440fb6841a20010000 4103c8 }
            // n = 4, score = 200
            //   4863d0               | sub                 ebx, eax
            //   898320020000         | dec                 eax
            //   440fb6841a20010000     | add    edi, eax
            //   4103c8               | dec                 eax

        $sequence_5 = { 4863d1 4903d2 420fb6542a08 eb1f }
            // n = 4, score = 200
            //   4863d1               | movzx               eax, byte ptr [edx + ebx + 0x120]
            //   4903d2               | inc                 ecx
            //   420fb6542a08         | add                 ecx, eax
            //   eb1f                 | dec                 eax

        $sequence_6 = { 41b882000000 4889742420 4403cb e8???????? }
            // n = 4, score = 200
            //   41b882000000         | add                 edx, edx
            //   4889742420           | inc                 edx
            //   4403cb               | movzx               edx, byte ptr [edx + ebp + 8]
            //   e8????????           |                     

        $sequence_7 = { 4863d1 4903d2 420fb6542a0c 8bc8 }
            // n = 4, score = 200
            //   4863d1               | dec                 eax
            //   4903d2               | arpl                ax, dx
            //   420fb6542a0c         | mov                 dword ptr [ebx + 0x220], eax
            //   8bc8                 | inc                 esp

        $sequence_8 = { 440fbfd1 894d9f 41f7da 0f846f030000 4585d2 7911 4c8d0d33ec0000 }
            // n = 7, score = 100
            //   440fbfd1             | inc                 esp
            //   894d9f               | movsx               edx, cx
            //   41f7da               | mov                 dword ptr [ebp - 0x61], ecx
            //   0f846f030000         | inc                 ecx
            //   4585d2               | neg                 edx
            //   7911                 | je                  0x375
            //   4c8d0d33ec0000       | inc                 ebp

        $sequence_9 = { 488d542450 488d4c2420 e8???????? 488d0579ee0000 }
            // n = 4, score = 100
            //   488d542450           | mov                 ecx, dword ptr [ebx - 8]
            //   488d4c2420           | inc                 esp
            //   e8????????           |                     
            //   488d0579ee0000       | mov                 eax, dword ptr [ebx - 4]

        $sequence_10 = { 99 83e203 03c2 c1f802 4863c8 e8???????? 4c8be0 }
            // n = 7, score = 100
            //   99                   | mov                 ebx, eax
            //   83e203               | dec                 eax
            //   03c2                 | mov                 ecx, eax
            //   c1f802               | dec                 eax
            //   4863c8               | test                eax, eax
            //   e8????????           |                     
            //   4c8be0               | je                  0xbe

        $sequence_11 = { 440faf35???????? 8b13 8b4bf8 448b43fc 4903d7 4803cf }
            // n = 6, score = 100
            //   440faf35????????     |                     
            //   8b13                 | test                edx, edx
            //   8b4bf8               | jns                 0x16
            //   448b43fc             | dec                 esp
            //   4903d7               | lea                 ecx, [0xec33]
            //   4803cf               | mov                 edx, dword ptr [ebx]

        $sequence_12 = { e8???????? 85c0 74ce 8b05???????? }
            // n = 4, score = 100
            //   e8????????           |                     
            //   85c0                 | lea                 edx, [esp + 0x50]
            //   74ce                 | dec                 eax
            //   8b05????????         |                     

        $sequence_13 = { ff15???????? 488d1559c10000 483305???????? 488bcb 488905???????? }
            // n = 5, score = 100
            //   ff15????????         |                     
            //   488d1559c10000       | test                eax, eax
            //   483305????????       |                     
            //   488bcb               | je                  0xffffffd0
            //   488905????????       |                     

        $sequence_14 = { 4c8d05738d0000 388c2498000000 0f94c1 4803d9 482bfb 4983feff }
            // n = 6, score = 100
            //   4c8d05738d0000       | lea                 ecx, [esp + 0x20]
            //   388c2498000000       | dec                 eax
            //   0f94c1               | lea                 eax, [0xee79]
            //   4803d9               | dec                 eax
            //   482bfb               | sub                 esp, 0x30
            //   4983feff             | dec                 ecx

        $sequence_15 = { 4883ec30 498bd8 e8???????? 488bc8 4885c0 0f84af000000 }
            // n = 6, score = 100
            //   4883ec30             | dec                 ecx
            //   498bd8               | add                 edx, edi
            //   e8????????           |                     
            //   488bc8               | dec                 eax
            //   4885c0               | add                 ecx, edi
            //   0f84af000000         | dec                 eax

    condition:
        7 of them and filesize < 557056
}
Download all Yara Rules