Actor(s): Silent Chollima
TigerLite is a TCP downloader.
It creates mutexes like "qtrgads32" or "Microsoft32".
It uses RC4 with the key "MicrosoftCorporationValidation@#$%^&*()!US" for decryption of its character strings, and a custom algorithm for encryption and decryption of network traffic.
It supports from 5 up to 8 commands with the following identifiers: 1111, 1234, 2099/3333, 4444, 8877, 8888, 9876, 9999. The commands mostly perform various types of execution - either of code received from the server, or native Windows commands, with their output collected and sent back to the server.
TigerLite is an intermediate step of a multi-stage attack, in which Tiger RAT is usually the next step. This malware was observed in attacks against South Korean entities in H1 2021.
|2021-12-22 ⋅ Threatray ⋅ |
Establishing the TigerRAT and TigerDownloader Malware Families
TigerLite Tiger RAT
|2021-06-15 ⋅ Kaspersky ⋅ |
Andariel evolves to target South Korea with ransomware
BISTROMATH PEBBLEDASH TigerLite Tiger RAT Unidentified 081 (Andariel Ransomware)
|2021-05-11 ⋅ Qianxin ⋅ |
Analysis of a series of attacks by the suspected Lazarus organization using Daewoo Shipyard as relevant bait
|2021-04-19 ⋅ Malwarebytes ⋅ |
Lazarus APT conceals malicious code within BMP image to drop its RAT
There is no Yara-Signature yet.