SYMBOLCOMMON_NAMEaka. SYNONYMS
win.tiger_rat (Back to overview)

Tiger RAT

Actor(s): Silent Chollima


This is third stage backdoor mentioned in the Kaspersky blog, "Andariel evolves to target South Korea with ransomware". The third stage payload was created via the second stage payload, is interactively executed in the operation and exists in both x64 and x86 versions. Most of them use Internet Explorer or Google Chrome icons and corresponding file names to disguise themselves as legitimate internet browsers. The malware decrypts the embedded payload at runtime. It uses an embedded 16-byte XOR key to decrypt the base64 encoded payload. The decrypted payload is another portable executable file that runs in memory. Before getting decrypted with a hardcoded XOR key, the backdoor also checks for sandbox environment.
The backdoor has some code overlap with a know malware family PEBBLEDASH, attributed to Lazarus/LABYRINTH CHOLLIMA.

References
2023-01-05AttackIQFrancis Guibernau, Ken Towne
@online{guibernau:20230105:emulating:04eb5ed, author = {Francis Guibernau and Ken Towne}, title = {{Emulating the Highly Sophisticated North Korean Adversary Lazarus Group}}, date = {2023-01-05}, organization = {AttackIQ}, url = {https://www.attackiq.com/2023/01/05/emulating-the-highly-sophisticated-north-korean-adversary-lazarus-group/}, language = {English}, urldate = {2023-01-10} } Emulating the Highly Sophisticated North Korean Adversary Lazarus Group
MagicRAT Tiger RAT
2022-09-07Cisco TalosJung soo An, Asheer Malhotra, Vitor Ventura
@online{an:20220907:magicrat:efb6a3d, author = {Jung soo An and Asheer Malhotra and Vitor Ventura}, title = {{MagicRAT: Lazarus’ latest gateway into victim networks}}, date = {2022-09-07}, organization = {Cisco Talos}, url = {https://blog.talosintelligence.com/2022/09/lazarus-magicrat.html}, language = {English}, urldate = {2022-09-16} } MagicRAT: Lazarus’ latest gateway into victim networks
MagicRAT Tiger RAT
2021-12-22ThreatrayMarkel Picado Ortiz
@techreport{ortiz:20211222:establishing:41e5885, author = {Markel Picado Ortiz}, title = {{Establishing the TigerRAT and TigerDownloader Malware Families}}, date = {2021-12-22}, institution = {Threatray}, url = {https://threatray.com/wp-content/uploads/2021/12/threatray-establishing-the-tigerrat-and-tigerdownloader-malware-families.pdf}, language = {English}, urldate = {2021-12-31} } Establishing the TigerRAT and TigerDownloader Malware Families
Tiger RAT
2021-12-03vmwareVMWare
@online{vmware:20211203:tigerrat:3388e2c, author = {VMWare}, title = {{TigerRAT – Advanced Adversaries on the Prowl}}, date = {2021-12-03}, organization = {vmware}, url = {https://blogs.vmware.com/security/2021/12/tigerrat-advanced-adversaries-on-the-prowl.html}, language = {English}, urldate = {2021-12-06} } TigerRAT – Advanced Adversaries on the Prowl
Tiger RAT
2021-09-02KrCertKrCERT
@techreport{krcert:20210902:ttps6:3198c89, author = {KrCERT}, title = {{TTPs#6 Targeted Watering Hole Attack Strategy Analysis (SILENT CHOLLIMA)}}, date = {2021-09-02}, institution = {KrCert}, url = {https://www.krcert.or.kr/filedownload.do?attach_file_seq=3277&attach_file_id=EpF3277.pdf}, language = {Korean}, urldate = {2021-09-09} } TTPs#6 Targeted Watering Hole Attack Strategy Analysis (SILENT CHOLLIMA)
Tiger RAT
2021-07-15BrightTALKMathieu Gaucheler, Ariel Jungheit, Kaspersky, Vicente Diaz
@online{gaucheler:20210715:visual:79b00a1, author = {Mathieu Gaucheler and Ariel Jungheit and Kaspersky and Vicente Diaz}, title = {{Visual investigations - Speed up your IR, Forensic Analysis and Hunting}}, date = {2021-07-15}, organization = {BrightTALK}, url = {https://www.brighttalk.com/webcast/18282/493986}, language = {English}, urldate = {2021-11-03} } Visual investigations - Speed up your IR, Forensic Analysis and Hunting
Tiger RAT
2021-06-15KasperskySeongsu Park
@online{park:20210615:andariel:1e000a0, author = {Seongsu Park}, title = {{Andariel evolves to target South Korea with ransomware}}, date = {2021-06-15}, organization = {Kaspersky}, url = {https://securelist.com/andariel-evolves-to-target-south-korea-with-ransomware/102811/}, language = {English}, urldate = {2021-11-03} } Andariel evolves to target South Korea with ransomware
BISTROMATH PEBBLEDASH Tiger RAT Unidentified 081 (Andariel Ransomware)
Yara Rules
[TLP:WHITE] win_tiger_rat_auto (20230125 | Detects win.tiger_rat.)
rule win_tiger_rat_auto {

    meta:
        author = "Felix Bilstein - yara-signator at cocacoding dot com"
        date = "2023-01-25"
        version = "1"
        description = "Detects win.tiger_rat."
        info = "autogenerated rule brought to you by yara-signator"
        tool = "yara-signator v0.6.0"
        signator_config = "callsandjumps;datarefs;binvalue"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.tiger_rat"
        malpedia_rule_date = "20230124"
        malpedia_hash = "2ee0eebba83dce3d019a90519f2f972c0fcf9686"
        malpedia_version = "20230125"
        malpedia_license = "CC BY-SA 4.0"
        malpedia_sharing = "TLP:WHITE"

    /* DISCLAIMER
     * The strings used in this rule have been automatically selected from the
     * disassembly of memory dumps and unpacked files, using YARA-Signator.
     * The code and documentation is published here:
     * https://github.com/fxb-cocacoding/yara-signator
     * As Malpedia is used as data source, please note that for a given
     * number of families, only single samples are documented.
     * This likely impacts the degree of generalization these rules will offer.
     * Take the described generation method also into consideration when you
     * apply the rules in your use cases and assign them confidence levels.
     */


    strings:
        $sequence_0 = { 2bdf eb05 bb00000100 488b4930 }
            // n = 4, score = 200
            //   2bdf                 | mov                 ebx, edi
            //   eb05                 | mov                 ecx, 1
            //   bb00000100           | sub                 ebx, edi
            //   488b4930             | inc                 esp

        $sequence_1 = { 2bd9 488d4c2430 ff15???????? 85db }
            // n = 4, score = 200
            //   2bd9                 | inc                 ebp
            //   488d4c2430           | xor                 ecx, ecx
            //   ff15????????         |                     
            //   85db                 | inc                 ecx

        $sequence_2 = { 48833d????????00 7458 48833d????????00 744e }
            // n = 4, score = 200
            //   48833d????????00     |                     
            //   7458                 | jne                 0xfffffff6
            //   48833d????????00     |                     
            //   744e                 | test                edx, edx

        $sequence_3 = { 2bd1 7508 4883c002 85c9 75ec 85d2 7422 }
            // n = 7, score = 200
            //   2bd1                 | dec                 esp
            //   7508                 | add                 dword ptr [eax + ebp], esi
            //   4883c002             | dec                 eax
            //   85c9                 | add                 edi, 2
            //   75ec                 | mov                 dword ptr [esp + 0x40], 0
            //   85d2                 | test                eax, eax
            //   7422                 | je                  0x30

        $sequence_4 = { 2bdf 448d4020 448bcb 48897c2420 }
            // n = 4, score = 200
            //   2bdf                 | je                  0x51
            //   448d4020             | je                  0x5b
            //   448bcb               | je                  0x51
            //   48897c2420           | je                  0x49

        $sequence_5 = { 2bdf 448bcb 41b820000000 48897c2420 }
            // n = 4, score = 200
            //   2bdf                 | dec                 eax
            //   448bcb               | lea                 ecx, [esp + 0x30]
            //   41b820000000         | test                ebx, ebx
            //   48897c2420           | js                  0x4e

        $sequence_6 = { 48833d????????00 7459 48833d????????00 744f }
            // n = 4, score = 200
            //   48833d????????00     |                     
            //   7459                 | test                ebx, ebx
            //   48833d????????00     |                     
            //   744f                 | js                  0x4e

        $sequence_7 = { 48833d????????00 7469 48833d????????00 745f }
            // n = 4, score = 200
            //   48833d????????00     |                     
            //   7469                 | mov                 dword ptr [esp + 0x20], edi
            //   48833d????????00     |                     
            //   745f                 | sub                 ebx, edi

        $sequence_8 = { 7819 4898 483de4000000 730f 488d0d1d840000 4803c0 8b04c1 }
            // n = 7, score = 100
            //   7819                 | js                  0x1b
            //   4898                 | dec                 eax
            //   483de4000000         | cwde                
            //   730f                 | dec                 eax
            //   488d0d1d840000       | cmp                 eax, 0xe4
            //   4803c0               | jae                 0x11
            //   8b04c1               | dec                 eax

        $sequence_9 = { 7509 25ff0f0000 4c013428 4883c702 }
            // n = 4, score = 100
            //   7509                 | dec                 eax
            //   25ff0f0000           | mov                 dword ptr [edi], eax
            //   4c013428             | dec                 eax
            //   4883c702             | mov                 dword ptr [edi + 8], eax

        $sequence_10 = { 488907 48894708 488bd7 884710 e8???????? }
            // n = 5, score = 100
            //   488907               | dec                 eax
            //   48894708             | mov                 dword ptr [edi + 8], eax
            //   488bd7               | dec                 eax
            //   884710               | lea                 eax, [0xee26]
            //   e8????????           |                     

        $sequence_11 = { c705????????4b000000 c744244000000000 ff15???????? 85c0 742c 8b05???????? 4533c9 }
            // n = 7, score = 100
            //   c705????????4b000000     |     
            //   c744244000000000     | dec                 eax
            //   ff15????????         |                     
            //   85c0                 | mov                 edx, edi
            //   742c                 | mov                 byte ptr [edi + 0x10], al
            //   8b05????????         |                     
            //   4533c9               | push                ebp

        $sequence_12 = { 55 488d6c24a9 4881ec90000000 8b05???????? }
            // n = 4, score = 100
            //   55                   | inc                 ebp
            //   488d6c24a9           | xor                 eax, eax
            //   4881ec90000000       | xor                 edx, edx
            //   8b05????????         |                     

        $sequence_13 = { 48894708 488d0526ee0000 4533c0 33d2 }
            // n = 4, score = 100
            //   48894708             | lea                 ecx, [0x841d]
            //   488d0526ee0000       | dec                 eax
            //   4533c0               | add                 eax, eax
            //   33d2                 | mov                 eax, dword ptr [ecx + eax*8]

        $sequence_14 = { 8b0d???????? 41b800800000 030d???????? 498bd6 890d???????? 488bcd ff15???????? }
            // n = 7, score = 100
            //   8b0d????????         |                     
            //   41b800800000         | dec                 eax
            //   030d????????         |                     
            //   498bd6               | lea                 ebp, [esp - 0x57]
            //   890d????????         |                     
            //   488bcd               | dec                 eax
            //   ff15????????         |                     

    condition:
        7 of them and filesize < 557056
}
Download all Yara Rules