Security news that informs and inspires

Iron Tiger APT Updates Toolkit in 18-Month Malware Campaign


The Iron Tiger threat group has upgraded its toolkit, as seen in an 18-month campaign by the advanced persistent threat (APT) actor targeting a gambling company in the Philippines.

The incident sheds light on the recent evolution of Iron Tiger (also known as LuckyMouse, Emissary Panda and APT27), which is a Chinese cyberespionage threat group that has been active since 2010. A new Trend Micro report found that over time, Iron Tiger has updated its toolkit to include a new method for launching its malware, and has also adopted a new rootkit used for hiding backdoors.

The threat actors “are able to quickly pivot and change techniques despite existing network defenses,” said Jamz Yaneza, research manager at Trend Micro. “They can update their tools or even modify quickly, which means tracking and detecting these modifications within the organization can be difficult.”

The attack on the unnamed company is part of an overarching campaign on gambling companies first uncovered in 2019, after an incident response operation was conducted by Talent-Jump, Inc. The company contacted Trend Micro researchers to conduct further malware analysis, who called the campaign “Operation DRBControl.”

Trend Micro’s Friday report linked the Iron Tiger threat group to the attack: “After finding multiple tools belonging to the Iron Tiger threat actor, it is likely that the new malware families that we found during the Operation DRBControl investigation came from the same threat actor,” they said.

Trend Micro researchers said that since they did not perform the incident response themselves, they were not in a position to analyze exactly how cybercriminals gained initial access - and obtained persistence for so long.

“However, it is likely the attacker kept some accesses after the initial compromise,” said Daniel Lunghi, threat researcher at Trend Micro. “One option is that they used credentials they dumped during the first compromise, or that they found in the recorded keystrokes. Another possibility is that they exploited vulnerabilities to come back.”

While researchers could not confirm a primary infection vector behind the attack, previously, Iron Tiger has relied on watering hole attacks, as well as the leveraging of weaponized documents (exploiting Equation Editor flaw CVE-2018-0798, for instance) to gain a foothold on systems. It has also been observed targeting vulnerabilities, including a Microsoft Sharepoint flaw, CVE-2019-0604, and Microsoft Exchange server flaws (CVE-2021-26855, CVE-2021-26857, CVE-2021-26858 and CVE-2021-27065).

“This is a unique industry with a constant large cash flow. Huge sums of money and different financial transfer schemes... give more opportunity for abuse.”

Further investigation into the attack revealed how Iron Tiger has upgraded its toolset over time. As part of the initial incident response, researchers discovered the threat group utilizing the HyperBro malware, a remote access trojan (RAT) used to gain access to infected systems. It also utilized a rootkit called Pandora, which performs backdoor functions.

More recently, researchers observed the threat group in December utilizing the SysUpdate malware sample as part of the attack. This malware, which was previously discovered and linked to Iron Tiger by researchers in 2018, has remote access capabilities such as managing files and processes, launching a command shell, interacting with services, taking screenshots, and uploading and downloading additional malware payloads.

Previously, the malware variant utilized by Iron Tiger was loaded by a known process, involving three files. These included a legitimate executable, a malicious dynamic-link library (DLL) file loaded by the executable, and a binary file that contained obfuscated code.

The attack on the gambling company revealed a new process, where SysUpdate was loaded using five files in its infection routine. In this process, a shellcode was utilized that decompressed and loaded a launcher in memory. This launched, then decoded, two encrypted files: One (data.res) containing two SysUpdate versions; and another (config.res) containing the SysUpdate configuration, such as the command-and-control (C2) server address.

Researchers said this update is “a smart move on the attacker’s side” in terms of obfuscation, as it splits information between various different files, making it harder to extract and analyze the malware.

In April 2020, researchers also found Iron Tiger making new use of a rootkit to hide its backdoors. The rootkit was taken from a public GitHub repository and was used to hide processes, files and services.

Beyond this particular attack, researchers said Iron Tiger has expanded its target base to include other industries - including governments, banks, telecommunication providers and the energy sector - in different countries in the Middle East and Southeast Asia over the past 18 months.

However, the gambling sector has proved to be lucrative for threat groups in general, researchers said, because “quite simply, it’s where the money is.” A multitude of cyberattacks have hit gambling companies and casinos over the past year, including ones in October against two casinos in Idaho that led to their temporary shutdown. Southeast Asia, in particular, has a strong economy for gambling because of overall population growth and "a general propensity for gambling" - making it opportunistic for threat actors, said researchers.

“This is a unique industry with a constant large cash flow,” said Yaneza. “Huge sums of money and different financial transfer schemes... give more opportunity for abuse.”