The research team said that this malware variant was first discovered in July 2022 and several similar payloads were detected in late October 2022, and the investigation has been opened. As a result of the investigation, similarities to system update malware were confirmed.
Iron Tiger is a Chinese APT group that has been active since 2013, and at the start of its activity it was controversial for stealing terabytes of confidential data targeting employees of American technology companies.
Like the updated Windows version of Iron Tiger’s system discovered in 2021, the latest variant also has complicated loading logic to bypass security solutions. It is also written in C++ using the Asio library, and the functionality is very similar to the previous version. According to the report, the system update malware is capable of running system services, taking screenshots, browsing and killing processes, retrieving drive information, executing commands, locate, delete, rename, upload, download files, as well as browse victim file directories. There is a function.
The research team said they found ELF files connected to some command and control servers while investigating the system update infrastructure. This ELF sample shared a common network encryption key with previous versions and had many similar features (e.g. file management, etc.).
The newer variants also had the added ability to perform command and control communication via DNS TXT queries. DNS is not a communication protocol, but attackers abused the DNS protocol to send and receive information.
The initial infection route was unknown, but it was investigated that a chat application was used to lure and trick victims into downloading the infection payload. Upon successful download, the malware sends information to the command and control server, including GUID, hostname, username, local IP address, and port used to send the request, the current PID, kernel version and architecture of the machine, as well as the current file path.
A gaming company in the Philippines has been mentioned as a victim of the malware campaign. This APT group is known for targeting the gaming industry and Southeast Asia.
Meanwhile, Iron Tiger also targeted macOS and Linux systems in 2022 through a series of malware called rshell. Trend Micro’s report pointed out that additional variants are likely to emerge in the future to target other platforms and applications. “The tools mentioned here can be reused in campaigns that can target different geographies or industries in the short or long term,” he added.
editor@itworld.co.kr
