SYMBOLCOMMON_NAMEaka. SYNONYMS
win.tigerlite (Back to overview)

TigerLite

Actor(s): Silent Chollima

VTCollection    

TigerLite is a TCP downloader.

It creates mutexes like "qtrgads32" or "Microsoft32".

It uses RC4 with the key "MicrosoftCorporationValidation@#$%^&*()!US" for decryption of its character strings, and a custom algorithm for encryption and decryption of network traffic.

It supports from 5 up to 8 commands with the following identifiers: 1111, 1234, 2099/3333, 4444, 8877, 8888, 9876, 9999. The commands mostly perform various types of execution - either of code received from the server, or native Windows commands, with their output collected and sent back to the server.

TigerLite is an intermediate step of a multi-stage attack, in which Tiger RAT is usually the next step. This malware was observed in attacks against South Korean entities in H1 2021.

References
2021-12-22ThreatrayMarkel Picado Ortiz
Establishing the TigerRAT and TigerDownloader Malware Families
TigerLite Tiger RAT
2021-06-15KasperskySeongsu Park
Andariel evolves to target South Korea with ransomware
BISTROMATH PEBBLEDASH SHATTEREDGLASS TigerLite Tiger RAT
2021-05-11QianxinRed Raindrop Team
Analysis of a series of attacks by the suspected Lazarus organization using Daewoo Shipyard as relevant bait
BISTROMATH TigerLite
2021-04-19MalwarebytesHossein Jazi
Lazarus APT conceals malicious code within BMP image to drop its RAT
TigerLite
Yara Rules
[TLP:WHITE] win_tigerlite_auto (20260504 | Detects win.tigerlite.)
rule win_tigerlite_auto {

    meta:
        author = "Felix Bilstein - yara-signator at cocacoding dot com"
        date = "2026-05-04"
        version = "1"
        description = "Detects win.tigerlite."
        info = "autogenerated rule brought to you by yara-signator"
        tool = "yara-signator v0.6.0"
        signator_config = "callsandjumps;datarefs;binvalue"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.tigerlite"
        malpedia_rule_date = "20260422"
        malpedia_hash = "a182e35da64e6d71cb55f125c4d4225196523f14"
        malpedia_version = "20260504"
        malpedia_license = "CC BY-SA 4.0"
        malpedia_sharing = "TLP:WHITE"

    /* DISCLAIMER
     * The strings used in this rule have been automatically selected from the
     * disassembly of memory dumps and unpacked files, using YARA-Signator.
     * The code and documentation is published here:
     * https://github.com/fxb-cocacoding/yara-signator
     * As Malpedia is used as data source, please note that for a given
     * number of families, only single samples are documented.
     * This likely impacts the degree of generalization these rules will offer.
     * Take the described generation method also into consideration when you
     * apply the rules in your use cases and assign them confidence levels.
     */


    strings:
        $sequence_0 = { 0fb6c0 eb17 81fa00010000 7313 8a8798894100 }
            // n = 5, score = 100
            //   0fb6c0               | jae                 0x72
            //   eb17                 | dec                 eax
            //   81fa00010000         | mov                 eax, ebx
            //   7313                 | dec                 eax
            //   8a8798894100         | mov                 edi, ebx

        $sequence_1 = { 89442420 ff15???????? 4885c0 0f84cb010000 ba88130000 488bc8 ff15???????? }
            // n = 7, score = 100
            //   89442420             | dec                 eax
            //   ff15????????         |                     
            //   4885c0               | dec                 edi
            //   0f84cb010000         | jne                 0xffffffc7
            //   ba88130000           | dec                 eax
            //   488bc8               | inc                 ebx
            //   ff15????????         |                     

        $sequence_2 = { 8d85e9fdffff c685e8fdffff00 6a00 50 e8???????? 6807020000 }
            // n = 6, score = 100
            //   8d85e9fdffff         | or                  eax, ecx
            //   c685e8fdffff00       | dec                 ecx
            //   6a00                 | dec                 eax
            //   50                   | jne                 0xffffff99
            //   e8????????           |                     
            //   6807020000           | shl                 ecx, 6

        $sequence_3 = { c1f905 c1e706 8b0c8d489d4100 c644390400 85f6 740c }
            // n = 6, score = 100
            //   c1f905               | add                 ecx, 0xc
            //   c1e706               | mov                 eax, dword ptr [eax*4 + 0x419d48]
            //   8b0c8d489d4100       | add                 eax, ecx
            //   c644390400           | push                eax
            //   85f6                 | pop                 ebp
            //   740c                 | movzx               eax, al

        $sequence_4 = { 488905???????? 488d0517410000 48890d???????? 488905???????? 488d058a410000 488905???????? 488d057c350000 }
            // n = 7, score = 100
            //   488905????????       |                     
            //   488d0517410000       | dec                 eax
            //   48890d????????       |                     
            //   488905????????       |                     
            //   488d058a410000       | lea                 eax, [0x4117]
            //   488905????????       |                     
            //   488d057c350000       | dec                 eax

        $sequence_5 = { 48894610 4c8bc3 48894618 e8???????? }
            // n = 4, score = 100
            //   48894610             | mov                 byte ptr [esp + edx - 1], al
            //   4c8bc3               | inc                 esp
            //   48894618             | mov                 byte ptr [ecx], cl
            //   e8????????           |                     

        $sequence_6 = { 48ffc3 803c1e00 75f7 e9???????? }
            // n = 4, score = 100
            //   48ffc3               | dec                 eax
            //   803c1e00             | add                 ecx, eax
            //   75f7                 | movzx               eax, byte ptr [ecx]
            //   e9????????           |                     

        $sequence_7 = { 488d8d91000000 33d2 41b8ff030000 c6859000000000 e8???????? 488d1502c10100 }
            // n = 6, score = 100
            //   488d8d91000000       | cmp                 byte ptr [esi + ebx], 0
            //   33d2                 | jne                 0xfffffff9
            //   41b8ff030000         | dec                 eax
            //   c6859000000000       | mov                 dword ptr [esi + 0x10], eax
            //   e8????????           |                     
            //   488d1502c10100       | dec                 esp

        $sequence_8 = { 3b1d???????? 7370 488bc3 488bfb 48c1ff05 4c8d2570790100 83e01f }
            // n = 7, score = 100
            //   3b1d????????         |                     
            //   7370                 | mov                 eax, ebx
            //   488bc3               | dec                 eax
            //   488bfb               | mov                 dword ptr [esi + 0x18], eax
            //   48c1ff05             | mov                 dword ptr [esp + 0x20], eax
            //   4c8d2570790100       | dec                 eax
            //   83e01f               | test                eax, eax

        $sequence_9 = { c1e106 83c10c 8b0485489d4100 03c1 50 ff15???????? 5d }
            // n = 7, score = 100
            //   c1e106               | xor                 edx, edx
            //   83c10c               | inc                 ecx
            //   8b0485489d4100       | mov                 eax, 0x3ff
            //   03c1                 | mov                 byte ptr [ebp + 0x90], 0
            //   50                   | dec                 eax
            //   ff15????????         |                     
            //   5d                   | lea                 edx, [0x1c102]

        $sequence_10 = { 6a10 8d85d0f1ffff 50 56 }
            // n = 4, score = 100
            //   6a10                 | and                 eax, 0x1f
            //   8d85d0f1ffff         | shl                 edx, 0x11
            //   50                   | shr                 ecx, 8
            //   56                   | mov                 eax, edx

        $sequence_11 = { 488bc8 ff15???????? 488d1508ad0000 488bcb 488905???????? ff15???????? }
            // n = 6, score = 100
            //   488bc8               | lea                 eax, [0x418a]
            //   ff15????????         |                     
            //   488d1508ad0000       | dec                 eax
            //   488bcb               | lea                 eax, [0x357c]
            //   488905????????       |                     
            //   ff15????????         |                     

        $sequence_12 = { 83c404 56 ff15???????? b864000000 5f }
            // n = 5, score = 100
            //   83c404               | jmp                 0x19
            //   56                   | cmp                 edx, 0x100
            //   ff15????????         |                     
            //   b864000000           | jae                 0x1b
            //   5f                   | mov                 al, byte ptr [edi + 0x418998]

        $sequence_13 = { 4803c8 0fb601 884414ff 448809 48ffcf 75bb }
            // n = 6, score = 100
            //   4803c8               | dec                 eax
            //   0fb601               | mov                 ecx, eax
            //   884414ff             | dec                 eax
            //   448809               | lea                 edx, [0xad08]
            //   48ffcf               | dec                 eax
            //   75bb                 | mov                 ecx, ebx

        $sequence_14 = { 6a01 6a02 668985eaf7ffff ff15???????? 8bf0 }
            // n = 5, score = 100
            //   6a01                 | dec                 eax
            //   6a02                 | sar                 edi, 5
            //   668985eaf7ffff       | dec                 esp
            //   ff15????????         |                     
            //   8bf0                 | lea                 esp, [0x17970]

        $sequence_15 = { 75f3 53 e8???????? 56 e8???????? 57 e8???????? }
            // n = 7, score = 100
            //   75f3                 | push                1
            //   53                   | push                2
            //   e8????????           |                     
            //   56                   | mov                 word ptr [ebp - 0x816], ax
            //   e8????????           |                     
            //   57                   | mov                 esi, eax
            //   e8????????           |                     

    condition:
        7 of them and filesize < 349184
}
Download all Yara Rules