SYMBOLCOMMON_NAMEaka. SYNONYMS
win.tiger_rat (Back to overview)

Tiger RAT

Actor(s): Silent Chollima

VTCollection    

This is third stage backdoor mentioned in the Kaspersky blog, "Andariel evolves to target South Korea with ransomware". The third stage payload was created via the second stage payload, is interactively executed in the operation and exists in both x64 and x86 versions. Most of them use Internet Explorer or Google Chrome icons and corresponding file names to disguise themselves as legitimate internet browsers. The malware decrypts the embedded payload at runtime. It uses an embedded 16-byte XOR key to decrypt the base64 encoded payload. The decrypted payload is another portable executable file that runs in memory. Before getting decrypted with a hardcoded XOR key, the backdoor also checks for sandbox environment.
The backdoor has some code overlap with a know malware family PEBBLEDASH, attributed to Lazarus/LABYRINTH CHOLLIMA.

References
2023-11-10AhnLabASEC Analysis Team
Detection of attacks exploiting asset management software (Andariel Group)
Lilith Tiger RAT
2023-08-31AhnLabSanseo
Analysis of Andariel’s New Attack Activities
Andardoor BlackRemote Tiger RAT Volgmer
2023-08-22AhnLabASEC Analysis Team
Analyzing the new attack activity of the Andariel group
Andardoor MimiKatz QuiteRAT Tiger RAT Volgmer
2023-02-09CISA, DSA, FBI, HHS, NSA, ROK
#StopRansomware: Ransomware Attacks on Critical Infrastructure Fund DPRK Malicious Cyber Activities
Dtrack MagicRAT Maui Ransomware SiennaBlue SiennaPurple Tiger RAT YamaBot
2023-01-05AttackIQFrancis Guibernau, Ken Towne
Emulating the Highly Sophisticated North Korean Adversary Lazarus Group
MagicRAT Tiger RAT
2022-09-07Cisco TalosAsheer Malhotra, Jung soo An, Vitor Ventura
MagicRAT: Lazarus’ latest gateway into victim networks
MagicRAT Tiger RAT
2021-12-22ThreatrayMarkel Picado Ortiz
Establishing the TigerRAT and TigerDownloader Malware Families
TigerLite Tiger RAT
2021-12-03vmwareVMWare
TigerRAT – Advanced Adversaries on the Prowl
Tiger RAT
2021-11-10AhnLabASEC Analysis Team
Analysis Report of Lazarus Group’s NukeSped Malware
DarkComet Tiger RAT
2021-09-02KrCertKrCERT
TTPs#6 Targeted Watering Hole Attack Strategy Analysis (SILENT CHOLLIMA)
Tiger RAT
2021-07-15BrightTALKAriel Jungheit, Kaspersky, Mathieu Gaucheler, Vicente Diaz
Visual investigations - Speed up your IR, Forensic Analysis and Hunting
Tiger RAT
2021-06-15KasperskySeongsu Park
Andariel evolves to target South Korea with ransomware
BISTROMATH PEBBLEDASH SHATTEREDGLASS TigerLite Tiger RAT
Yara Rules
[TLP:WHITE] win_tiger_rat_auto (20260504 | Detects win.tiger_rat.)
rule win_tiger_rat_auto {

    meta:
        author = "Felix Bilstein - yara-signator at cocacoding dot com"
        date = "2026-05-04"
        version = "1"
        description = "Detects win.tiger_rat."
        info = "autogenerated rule brought to you by yara-signator"
        tool = "yara-signator v0.6.0"
        signator_config = "callsandjumps;datarefs;binvalue"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.tiger_rat"
        malpedia_rule_date = "20260422"
        malpedia_hash = "a182e35da64e6d71cb55f125c4d4225196523f14"
        malpedia_version = "20260504"
        malpedia_license = "CC BY-SA 4.0"
        malpedia_sharing = "TLP:WHITE"

    /* DISCLAIMER
     * The strings used in this rule have been automatically selected from the
     * disassembly of memory dumps and unpacked files, using YARA-Signator.
     * The code and documentation is published here:
     * https://github.com/fxb-cocacoding/yara-signator
     * As Malpedia is used as data source, please note that for a given
     * number of families, only single samples are documented.
     * This likely impacts the degree of generalization these rules will offer.
     * Take the described generation method also into consideration when you
     * apply the rules in your use cases and assign them confidence levels.
     */


    strings:
        $sequence_0 = { 458bc1 8bc8 440fb60c3a 41d3f8 }
            // n = 4, score = 200
            //   458bc1               | dec                 eax
            //   8bc8                 | test                eax, eax
            //   440fb60c3a           | je                  0xb5
            //   41d3f8               | dec                 eax

        $sequence_1 = { 4103c8 458bd8 81e1ff000080 7d0a ffc9 81c900ffffff }
            // n = 6, score = 200
            //   4103c8               | lea                 ecx, [esp + 0x38]
            //   458bd8               | xor                 ecx, ecx
            //   81e1ff000080         | dec                 eax
            //   7d0a                 | mov                 dword ptr [esp + 0x28], ebx
            //   ffc9                 | mov                 byte ptr [esi + 0x42], 1
            //   81c900ffffff         | mov                 dword ptr [esp + 0x20], ebx

        $sequence_2 = { 0f11442440 0f849b000000 498d4d28 ff15???????? 498b7520 4c8d4c2438 }
            // n = 6, score = 200
            //   0f11442440           | lea                 edx, [ebp + 0x67]
            //   0f849b000000         | mov                 ebx, eax
            //   498d4d28             | dec                 eax
            //   ff15????????         |                     
            //   498b7520             | lea                 ecx, [ebp + 0x6f]
            //   4c8d4c2438           | xor                 eax, eax

        $sequence_3 = { 488bf8 e8???????? 33db 4c8d0525ffffff }
            // n = 4, score = 200
            //   488bf8               | dec                 ecx
            //   e8????????           |                     
            //   33db                 | mov                 esi, dword ptr [ebp + 0x20]
            //   4c8d0525ffffff       | dec                 esp

        $sequence_4 = { 33c9 48895c2428 c6464201 895c2420 ff15???????? }
            // n = 5, score = 200
            //   33c9                 | dec                 eax
            //   48895c2428           | add                 esp, 0x68
            //   c6464201             | ret                 
            //   895c2420             | mov                 dword ptr [esp + 0x58], 0x17783708
            //   ff15????????         |                     

        $sequence_5 = { 4885c0 488905???????? 0f95c0 488b5c2438 4883c420 }
            // n = 5, score = 200
            //   4885c0               | movups              xmmword ptr [esp + 0x40], xmm0
            //   488905????????       |                     
            //   0f95c0               | je                  0xa1
            //   488b5c2438           | dec                 ecx
            //   4883c420             | lea                 ecx, [ebp + 0x28]

        $sequence_6 = { 83f901 743f 4c897c2450 8d79ff }
            // n = 4, score = 200
            //   83f901               | mov                 eax, dword ptr [eax]
            //   743f                 | dec                 eax
            //   4c897c2450           | mov                 dword ptr [esp + 0x40], edi
            //   8d79ff               | call                dword ptr [eax + 0x18]

        $sequence_7 = { 4885c0 7412 b001 488b5c2438 488b7c2440 }
            // n = 5, score = 200
            //   4885c0               | mov                 dword ptr [esp + 0x5c], 0x1a57354c
            //   7412                 | mov                 dword ptr [esp + 0x60], 0x422a
            //   b001                 | mov                 byte ptr [esp + 0x40], 0
            //   488b5c2438           | dec                 eax
            //   488b7c2440           | mov                 ecx, eax

        $sequence_8 = { 488b8424c0000000 448938 498bc4 4883c470 415f 415e }
            // n = 6, score = 100
            //   488b8424c0000000     | dec                 eax
            //   448938               | mov                 eax, dword ptr [esp + 0xc0]
            //   498bc4               | inc                 esp
            //   4883c470             | mov                 dword ptr [eax], edi
            //   415f                 | dec                 ecx
            //   415e                 | mov                 eax, esp

        $sequence_9 = { 33d2 41b8d0070000 488bcb f30f7f442430 c705????????12000000 }
            // n = 5, score = 100
            //   33d2                 | dec                 eax
            //   41b8d0070000         | add                 esp, 0x70
            //   488bcb               | inc                 ecx
            //   f30f7f442430         | pop                 edi
            //   c705????????12000000     |     

        $sequence_10 = { c3 48895c2408 57 4883ec20 488d1de7410100 488d3de0410100 }
            // n = 6, score = 100
            //   c3                   | inc                 ecx
            //   48895c2408           | pop                 esi
            //   57                   | xor                 edx, edx
            //   4883ec20             | inc                 ecx
            //   488d1de7410100       | mov                 eax, 0x7d0
            //   488d3de0410100       | dec                 eax

        $sequence_11 = { 488bcb e8???????? 8b0d???????? 41b800800000 030d???????? }
            // n = 5, score = 100
            //   488bcb               | mov                 ecx, ebx
            //   e8????????           |                     
            //   8b0d????????         |                     
            //   41b800800000         | movdqu              xmmword ptr [esp + 0x30], xmm0
            //   030d????????         |                     

        $sequence_12 = { 488bce c745f74511197b c745fb14483240 8905???????? c745ff5c6e560b 66c745035400 c705????????33000000 }
            // n = 7, score = 100
            //   488bce               | ret                 
            //   c745f74511197b       | dec                 eax
            //   c745fb14483240       | mov                 dword ptr [esp + 8], ebx
            //   8905????????         |                     
            //   c745ff5c6e560b       | push                edi
            //   66c745035400         | dec                 eax
            //   c705????????33000000     |     

        $sequence_13 = { 33c0 4883c468 c3 3305???????? }
            // n = 4, score = 100
            //   33c0                 | dec                 eax
            //   4883c468             | lea                 edi, [0x141e0]
            //   c3                   | dec                 eax
            //   3305????????         |                     

        $sequence_14 = { 488d5567 8bd8 0faf0d???????? 890d???????? 488d4d6f ff15???????? }
            // n = 6, score = 100
            //   488d5567             | sub                 esp, 0x20
            //   8bd8                 | dec                 eax
            //   0faf0d????????       |                     
            //   890d????????         |                     
            //   488d4d6f             | lea                 ebx, [0x141e7]
            //   ff15????????         |                     

        $sequence_15 = { c744245808377817 c744245c4c35571a 8905???????? c74424602a420000 c644244000 e8???????? }
            // n = 6, score = 100
            //   c744245808377817     | mov                 ecx, ebx
            //   c744245c4c35571a     | inc                 ecx
            //   8905????????         |                     
            //   c74424602a420000     | mov                 eax, 0x8000
            //   c644244000           | dec                 eax
            //   e8????????           |                     

    condition:
        7 of them and filesize < 557056
}
Download all Yara Rules