SYMBOLCOMMON_NAMEaka. SYNONYMS
win.tiger_rat (Back to overview)

Tiger RAT

Actor(s): Silent Chollima

This is third stage backdoor mentioned in the Kaspersky blog, "Andariel evolves to target South Korea with ransomware". The third stage payload was created via the second stage payload, is interactively executed in the operation and exists in both x64 and x86 versions. Most of them use Internet Explorer or Google Chrome icons and corresponding file names to disguise themselves as legitimate internet browsers. The malware decrypts the embedded payload at runtime. It uses an embedded 16-byte XOR key to decrypt the base64 encoded payload. The decrypted payload is another portable executable file that runs in memory. Before getting decrypted with a hardcoded XOR key, the backdoor also checks for sandbox environment.
The backdoor has some code overlap with a know malware family PEBBLEDASH, attributed to Lazarus/LABYRINTH CHOLLIMA.

References
2023-11-10AhnLabASEC Analysis Team
@online{team:20231110:detection:6c90ee7, author = {ASEC Analysis Team}, title = {{Detection of attacks exploiting asset management software (Andariel Group)}}, date = {2023-11-10}, organization = {AhnLab}, url = {https://asec.ahnlab.com/ko/58215/}, language = {Korean}, urldate = {2023-11-28} } Detection of attacks exploiting asset management software (Andariel Group)
Lilith Tiger RAT
2023-08-31AhnLabSanseo
@online{sanseo:20230831:analysis:c771be9, author = {Sanseo}, title = {{Analysis of Andariel’s New Attack Activities}}, date = {2023-08-31}, organization = {AhnLab}, url = {https://asec.ahnlab.com/en/56405/}, language = {English}, urldate = {2023-09-01} } Analysis of Andariel’s New Attack Activities
Andardoor BlackRemote Tiger RAT Volgmer
2023-08-22AhnLabASEC Analysis Team
@online{team:20230822:analyzing:a2e958c, author = {ASEC Analysis Team}, title = {{Analyzing the new attack activity of the Andariel group}}, date = {2023-08-22}, organization = {AhnLab}, url = {https://asec.ahnlab.com/ko/56256/}, language = {Korean}, urldate = {2023-08-28} } Analyzing the new attack activity of the Andariel group
Andardoor MimiKatz QuiteRAT Tiger RAT Volgmer
2023-02-09NSA, FBI, CISA, HHS, ROK, DSA
@techreport{nsa:20230209:stopransomware:87d3a94, author = {NSA and FBI and CISA and HHS and ROK and DSA}, title = {{#StopRansomware: Ransomware Attacks on Critical Infrastructure Fund DPRK Malicious Cyber Activities}}, date = {2023-02-09}, institution = {}, url = {https://media.defense.gov/2023/Feb/09/2003159161/-1/-1/0/CSA_RANSOMWARE_ATTACKS_ON_CI_FUND_DPRK_ACTIVITIES.PDF}, language = {English}, urldate = {2023-08-25} } #StopRansomware: Ransomware Attacks on Critical Infrastructure Fund DPRK Malicious Cyber Activities
Dtrack MagicRAT Maui Ransomware SiennaBlue SiennaPurple Tiger RAT YamaBot
2023-01-05AttackIQFrancis Guibernau, Ken Towne
@online{guibernau:20230105:emulating:04eb5ed, author = {Francis Guibernau and Ken Towne}, title = {{Emulating the Highly Sophisticated North Korean Adversary Lazarus Group}}, date = {2023-01-05}, organization = {AttackIQ}, url = {https://www.attackiq.com/2023/01/05/emulating-the-highly-sophisticated-north-korean-adversary-lazarus-group/}, language = {English}, urldate = {2023-01-10} } Emulating the Highly Sophisticated North Korean Adversary Lazarus Group
MagicRAT Tiger RAT
2022-09-07Cisco TalosJung soo An, Asheer Malhotra, Vitor Ventura
@online{an:20220907:magicrat:efb6a3d, author = {Jung soo An and Asheer Malhotra and Vitor Ventura}, title = {{MagicRAT: Lazarus’ latest gateway into victim networks}}, date = {2022-09-07}, organization = {Cisco Talos}, url = {https://blog.talosintelligence.com/2022/09/lazarus-magicrat.html}, language = {English}, urldate = {2022-09-16} } MagicRAT: Lazarus’ latest gateway into victim networks
MagicRAT Tiger RAT
2021-12-22ThreatrayMarkel Picado Ortiz
@techreport{ortiz:20211222:establishing:41e5885, author = {Markel Picado Ortiz}, title = {{Establishing the TigerRAT and TigerDownloader Malware Families}}, date = {2021-12-22}, institution = {Threatray}, url = {https://threatray.com/wp-content/uploads/2021/12/threatray-establishing-the-tigerrat-and-tigerdownloader-malware-families.pdf}, language = {English}, urldate = {2023-09-22} } Establishing the TigerRAT and TigerDownloader Malware Families
TigerLite Tiger RAT
2021-12-03vmwareVMWare
@online{vmware:20211203:tigerrat:3388e2c, author = {VMWare}, title = {{TigerRAT – Advanced Adversaries on the Prowl}}, date = {2021-12-03}, organization = {vmware}, url = {https://blogs.vmware.com/security/2021/12/tigerrat-advanced-adversaries-on-the-prowl.html}, language = {English}, urldate = {2021-12-06} } TigerRAT – Advanced Adversaries on the Prowl
Tiger RAT
2021-11-10AhnLabASEC Analysis Team
@techreport{team:20211110:analysis:9630125, author = {ASEC Analysis Team}, title = {{Analysis Report of Lazarus Group’s NukeSped Malware}}, date = {2021-11-10}, institution = {AhnLab}, url = {https://asec.ahnlab.com/wp-content/uploads/2021/11/Lazarus-%EA%B7%B8%EB%A3%B9%EC%9D%98-NukeSped-%EC%95%85%EC%84%B1%EC%BD%94%EB%93%9C-%EB%B6%84%EC%84%9D-%EB%B3%B4%EA%B3%A0%EC%84%9C.pdf}, language = {Korean}, urldate = {2023-08-17} } Analysis Report of Lazarus Group’s NukeSped Malware
DarkComet Tiger RAT
2021-09-02KrCertKrCERT
@techreport{krcert:20210902:ttps6:3198c89, author = {KrCERT}, title = {{TTPs#6 Targeted Watering Hole Attack Strategy Analysis (SILENT CHOLLIMA)}}, date = {2021-09-02}, institution = {KrCert}, url = {https://www.krcert.or.kr/filedownload.do?attach_file_seq=3277&attach_file_id=EpF3277.pdf}, language = {Korean}, urldate = {2021-09-09} } TTPs#6 Targeted Watering Hole Attack Strategy Analysis (SILENT CHOLLIMA)
Tiger RAT
2021-07-15BrightTALKMathieu Gaucheler, Ariel Jungheit, Kaspersky, Vicente Diaz
@online{gaucheler:20210715:visual:79b00a1, author = {Mathieu Gaucheler and Ariel Jungheit and Kaspersky and Vicente Diaz}, title = {{Visual investigations - Speed up your IR, Forensic Analysis and Hunting}}, date = {2021-07-15}, organization = {BrightTALK}, url = {https://www.brighttalk.com/webcast/18282/493986}, language = {English}, urldate = {2021-11-03} } Visual investigations - Speed up your IR, Forensic Analysis and Hunting
Tiger RAT
2021-06-15KasperskySeongsu Park
@online{park:20210615:andariel:1e000a0, author = {Seongsu Park}, title = {{Andariel evolves to target South Korea with ransomware}}, date = {2021-06-15}, organization = {Kaspersky}, url = {https://securelist.com/andariel-evolves-to-target-south-korea-with-ransomware/102811/}, language = {English}, urldate = {2023-09-22} } Andariel evolves to target South Korea with ransomware
BISTROMATH PEBBLEDASH TigerLite Tiger RAT Unidentified 081 (Andariel Ransomware)
Yara Rules
[TLP:WHITE] win_tiger_rat_auto (20230808 | Detects win.tiger_rat.)
rule win_tiger_rat_auto {

    meta:
        author = "Felix Bilstein - yara-signator at cocacoding dot com"
        date = "2023-12-06"
        version = "1"
        description = "Detects win.tiger_rat."
        info = "autogenerated rule brought to you by yara-signator"
        tool = "yara-signator v0.6.0"
        signator_config = "callsandjumps;datarefs;binvalue"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.tiger_rat"
        malpedia_rule_date = "20231130"
        malpedia_hash = "fc8a0e9f343f6d6ded9e7df1a64dac0cc68d7351"
        malpedia_version = "20230808"
        malpedia_license = "CC BY-SA 4.0"
        malpedia_sharing = "TLP:WHITE"

    /* DISCLAIMER
     * The strings used in this rule have been automatically selected from the
     * disassembly of memory dumps and unpacked files, using YARA-Signator.
     * The code and documentation is published here:
     * https://github.com/fxb-cocacoding/yara-signator
     * As Malpedia is used as data source, please note that for a given
     * number of families, only single samples are documented.
     * This likely impacts the degree of generalization these rules will offer.
     * Take the described generation method also into consideration when you
     * apply the rules in your use cases and assign them confidence levels.
     */


    strings:
        $sequence_0 = { 4883c128 4889742448 48897c2450 ff15???????? }
            // n = 4, score = 200
            //   4883c128             | mov                 eax, dword ptr [esi + 0x18]
            //   4889742448           | inc                 ecx
            //   48897c2450           | mov                 ecx, 1
            //   ff15????????         |                     

        $sequence_1 = { 0f11400c 488b4e28 488b5618 488b01 ff5010 }
            // n = 5, score = 200
            //   0f11400c             | mov                 ecx, dword ptr [edi + 0x28]
            //   488b4e28             | dec                 eax
            //   488b5618             | mov                 edx, dword ptr [edi + 0x18]
            //   488b01               | dec                 eax
            //   ff5010               | mov                 eax, dword ptr [ecx]

        $sequence_2 = { 4883c108 e8???????? 4d8b4618 41b901000000 }
            // n = 4, score = 200
            //   4883c108             | cmp                 eax, eax
            //   e8????????           |                     
            //   4d8b4618             | jl                  0xfffffff4
            //   41b901000000         | jmp                 0xd

        $sequence_3 = { 33d2 41b80c000100 488bd8 e8???????? 4c63442430 488b4f08 }
            // n = 6, score = 200
            //   33d2                 | dec                 ecx
            //   41b80c000100         | mov                 dword ptr [ecx + eax*8], edx
            //   488bd8               | dec                 eax
            //   e8????????           |                     
            //   4c63442430           | add                 ecx, 8
            //   488b4f08             | inc                 ecx

        $sequence_4 = { 4883c108 413bc0 7cef eb06 4898 }
            // n = 5, score = 200
            //   4883c108             | cmp                 eax, 0x1770
            //   413bc0               | jl                  0xfffffffd
            //   7cef                 | dec                 eax
            //   eb06                 | mov                 ecx, eax
            //   4898                 | mov                 edx, 0xa

        $sequence_5 = { 4883c110 e8???????? 896e30 381f }
            // n = 4, score = 200
            //   4883c110             | mov                 eax, dword ptr [esi + 0x18]
            //   e8????????           |                     
            //   896e30               | inc                 ecx
            //   381f                 | mov                 ecx, 1

        $sequence_6 = { 4883c10c e8???????? 488b4f28 488b5718 }
            // n = 4, score = 200
            //   4883c10c             | mov                 dword ptr [ecx + eax*8], edx
            //   e8????????           |                     
            //   488b4f28             | mov                 ecx, 0x50
            //   488b5718             | dec                 eax

        $sequence_7 = { 4883c110 48c741180f000000 33ed 48896910 408829 48c746500f000000 }
            // n = 6, score = 200
            //   4883c110             | dec                 esp
            //   48c741180f000000     | arpl                word ptr [esp + 0x30], ax
            //   33ed                 | dec                 eax
            //   48896910             | mov                 ecx, dword ptr [edi + 8]
            //   408829               | dec                 eax
            //   48c746500f000000     | add                 ecx, 8

        $sequence_8 = { 7ce0 488bce ff15???????? 8b0d???????? }
            // n = 4, score = 100
            //   7ce0                 | mov                 esi, esp
            //   488bce               | dec                 esp
            //   ff15????????         |                     
            //   8b0d????????         |                     

        $sequence_9 = { ff15???????? 488bc8 ff15???????? ba0a000000 }
            // n = 4, score = 100
            //   ff15????????         |                     
            //   488bc8               | jae                 0xd4
            //   ff15????????         |                     
            //   ba0a000000           | dec                 eax

        $sequence_10 = { 0b05???????? 8905???????? ff15???????? ff15???????? b9e8030000 8bd8 }
            // n = 6, score = 100
            //   0b05????????         |                     
            //   8905????????         |                     
            //   ff15????????         |                     
            //   ff15????????         |                     
            //   b9e8030000           | mov                 dword ptr [esp + 0x78], ebp
            //   8bd8                 | dec                 esp

        $sequence_11 = { 4c2bf3 8905???????? 493bf7 0f83c8000000 48896c2478 4c896c2430 41bd00f00000 }
            // n = 7, score = 100
            //   4c2bf3               | add                 edi, esi
            //   8905????????         |                     
            //   493bf7               | dec                 esp
            //   0f83c8000000         | sub                 esi, ebx
            //   48896c2478           | jl                  0xffffffe2
            //   4c896c2430           | dec                 eax
            //   41bd00f00000         | mov                 ecx, esi

        $sequence_12 = { c705????????02000000 488905???????? 488d0556eb0100 48891d???????? 488905???????? 33c0 488905???????? }
            // n = 7, score = 100
            //   c705????????02000000     |     
            //   488905????????       |                     
            //   488d0556eb0100       | mov                 dword ptr [esp + 0x30], ebp
            //   48891d????????       |                     
            //   488905????????       |                     
            //   33c0                 | inc                 ecx
            //   488905????????       |                     

        $sequence_13 = { 8b05???????? 4d8bf4 2305???????? 4c03fe 4c2bf3 8905???????? }
            // n = 6, score = 100
            //   8b05????????         |                     
            //   4d8bf4               | mov                 eax, 1
            //   2305????????         |                     
            //   4c03fe               | jmp                 0x60
            //   4c2bf3               | dec                 ebp
            //   8905????????         |                     

        $sequence_14 = { 4c8d35046c0100 49833cde00 7407 b801000000 eb5e }
            // n = 5, score = 100
            //   4c8d35046c0100       | dec                 esp
            //   49833cde00           | lea                 esi, [0x16c04]
            //   7407                 | dec                 ecx
            //   b801000000           | cmp                 dword ptr [esi + ebx*8], 0
            //   eb5e                 | je                  9

        $sequence_15 = { 8bd8 e8???????? 2bc3 3d70170000 7cf2 e8???????? }
            // n = 6, score = 100
            //   8bd8                 | dec                 esp
            //   e8????????           |                     
            //   2bc3                 | sub                 esi, ebx
            //   3d70170000           | dec                 ecx
            //   7cf2                 | cmp                 esi, edi
            //   e8????????           |                     

    condition:
        7 of them and filesize < 557056
}
Download all Yara Rules