Establishing the TigerRAT and TigerDownloader malware families
Contents
Author: Markel Picado Ortiz
Published on: 22.12.2021
Executive Summary
Recent research by Malwarebytes (April 2021), Kaspersky (June 2021) and the Korean CERT (September 2021), reports about attacks on South Korean entities, employing new techniques and malware not previously identified.
The initial report by Malwarebytes attributes the attack to the Lazarus group. Kaspersky refines the attribution to the Andariel APT, a subgroup of Lazarus. Korea CERT (KrCERT) reports a new attack and calls the malware tools seen in this attack TigerDownloader and TigerRAT. The KrCERT report provides a thorough and detailed, indicator-based analysis of the relationship between their malware samples and those previously analyzed by Kaspersky and Malwarebytes. They also employ a proprietary attribution technology to further relate the attacks.
In this report, we focus on the malware tooling from the previously reported attacks. We provide new evidence to attribute these tools to the same downloader and RAT families. We will refer to these families as …
Published on: 22.12.2021
Executive Summary
Recent research by Malwarebytes (April 2021), Kaspersky (June 2021) and the Korean CERT (September 2021), reports about attacks on South Korean entities, employing new techniques and malware not previously identified.
The initial report by Malwarebytes attributes the attack to the Lazarus group. Kaspersky refines the attribution to the Andariel APT, a subgroup of Lazarus. Korea CERT (KrCERT) reports a new attack and calls the malware tools seen in this attack TigerDownloader and TigerRAT. The KrCERT report provides a thorough and detailed, indicator-based analysis of the relationship between their malware samples and those previously analyzed by Kaspersky and Malwarebytes. They also employ a proprietary attribution technology to further relate the attacks.
In this report, we focus on the malware tooling from the previously reported attacks. We provide new evidence to attribute these tools to the same downloader and RAT families. We will refer to these families as …
IoC
008e906f2727d502f130a549eeebfda23362e24b2f1ac6e2c198ea82acc8a06a
0996a8e5ec1a41645309e2ca395d3a6b766a7c52784c974c776f258c1b25a76c
0dc3f66f4af3250f56a32f8e1b9e772c514f74718358d19c195e3950d370ea01
0e447797aa20bff416073281adb09b73c15433ab855b5cdb2d883f8c2af9c414
10.101.30.127
1177105e51fa02f9977bd435f9066123ace32b991ed54912ece8f3d4fbeeade4
185.208.158.208
1892b72c053ab48edae8305ef449f2b5391921efea8b1d7c37d6d29f59edc92e
1f8dcfaebbcd7e71c2872e0ba2fc6db81d651cf654a21d33c78eae6662e62392
23.229.111.197
2f53109e01c431c1c1acec667adee07cf907cdc4d36429022f915654c9b7113b
350082b3f14e130c6337ef88d46d54d353ca6785508264112dfbd20ce4e47b98
45.58.112.77
464eaa82103f6f479e0d62dd48d2dab8ece300458136c03165d20915ee658067
49a13bf0aa53990771b7b7a7ab31d6805ed1b547e7d9f114e8e26a98f6fbee28
4aadf767491077ab83c6436cf108b014fc0bf8c3bd01cc6087a0f2b80564bc08
4d03a981bed15a3bd91f36972d7391b39791c582bb2959a9be154a74bd64db31
4da0ac4c3f47f69c992abb5d6e9803348bf9f3c6028a7214dcabec9a2e729b99
52.202.193.124
588cdbd3ee3594525eb62fa7bab148f6d7ab000737fc0c311a5588dc96794acc
5c2f339362d0cd8e5a8e3105c9c56971087bea2701ea3b7324771b0ea2c26c6c
6310cd9f8b6ae1fdc1b55fe190026a119f7ea526cd3fc22a215bda51c9c28214
63bae252d796bc9ac331fdc13744a72bd85d1065ef41a884dc11c6245ea933e2
69bac736f42e37302db7eca68b6fc138c3aa9a5c902c149e46cce8b42b172603
7d7dc8125a26d9515d90a66bfd20d609820197c879030cb932d39b1c2998e9d4
868a62feff8b46466e9d63b83135a7987bf6d332c13739aa11b747b3e2ad4bbf
87f389d8f3a63f0879aa9d9dfbbd2b2c9cf678b871b704a01b39e1eaa234020c
8b3c8046fa776b70821b7e50baa772a395d3d245c10bdaa4b6171e0c5ce3f717
9137e886e414b12581852b96a1d90ee875053f16b79be57694df9f93f3ead506
ab194f2bad37bffd32fae9833dafaa04c79c9e117d86aa46432eadef64a43ad6
b0d6aee39e988196fdc821895a1f1aa63d1c032ea880c26a15c857068f34bfd9
b59e8f44822ad6bc3b4067bfdfd1ad286b8ba76c1a3faff82a3feb7bdf96b9c5
bbddcb280af742ce10842b18b9d7120632cc042a8fe42eed90fc4bc94f2d71ac
d0fa0bfef8b199a42f4f33145274576e5a7edeb5522fb342af41fdc16e9021e2
d231f3b6d6e4c56cb7f149cbc0178f7b80448c24f14dced5a864015512b0ba1f
d26987b705f537b10a11fb9913d0acc0218a0c0ae5f27e6f821d6d987b1cd4c7
da787cf1f4fd829dd4a7637bec392438b793c5f9c920560197545d20b58691af
e83f5e0a51845d7078a3aca8ca7a5b786e8bdf284efd3e08b3472dbf3e098930
ebe4befd2a7f941baa65248d5dea09de809e638ec8e8caffae322aa3b6863c1c
ed11e94fd9aa3c7d4dd0b4345c106631fe52929c6e26a0daec2ed7d22e47ada0
ed5fbefd61a72ec9f8a5ebd7fa7bcd632ec55f04bdd4a4e24686edccb0268e05
f0ff67d4d34fe34d52a44b3515c44950
f13aff9e1192c081c012f974b29bf60487385eed644d506d7f82b3538c2b035f
f32f6b229913d68daad937cc72a57aa45291a9d623109ed48938815aa7b6005c
f40d387631ddb0db70128e72239d0cae7a22b2135c0ec0d540e018aa727d4c8e
f4765f7b089d99b1cdcebf3ad7ba7e3e23ce411deab29b7afd782b23352e698f
f62adc678eaadc019277640e6695143a45336c2f91019f5d9308812db1d07285
fec82f2542d7f82e9fce3e16bfa4024f253adee7121973bd9d67a3c79441b83c
http://mail.namusoft.kr/jsp/user/eam/board.jsp
http://mail.neocyon.com/jsp/user/sms/sms_recv.jsp
http://mail.sisnet.co.kr/jsp/user/sms/sms_recv.jsp
http://snum.or.kr/skin_img/skin.php
http://www.allamwith.com/home/mobile/list.php
http://www.conkorea.com/cshop/banner/list.php
http://www.ddjm.co.kr/bbs/icon/skin/skin.php
http://www.jinjinpig.co.kr/Anyboard/skin/board.php
0996a8e5ec1a41645309e2ca395d3a6b766a7c52784c974c776f258c1b25a76c
0dc3f66f4af3250f56a32f8e1b9e772c514f74718358d19c195e3950d370ea01
0e447797aa20bff416073281adb09b73c15433ab855b5cdb2d883f8c2af9c414
10.101.30.127
1177105e51fa02f9977bd435f9066123ace32b991ed54912ece8f3d4fbeeade4
185.208.158.208
1892b72c053ab48edae8305ef449f2b5391921efea8b1d7c37d6d29f59edc92e
1f8dcfaebbcd7e71c2872e0ba2fc6db81d651cf654a21d33c78eae6662e62392
23.229.111.197
2f53109e01c431c1c1acec667adee07cf907cdc4d36429022f915654c9b7113b
350082b3f14e130c6337ef88d46d54d353ca6785508264112dfbd20ce4e47b98
45.58.112.77
464eaa82103f6f479e0d62dd48d2dab8ece300458136c03165d20915ee658067
49a13bf0aa53990771b7b7a7ab31d6805ed1b547e7d9f114e8e26a98f6fbee28
4aadf767491077ab83c6436cf108b014fc0bf8c3bd01cc6087a0f2b80564bc08
4d03a981bed15a3bd91f36972d7391b39791c582bb2959a9be154a74bd64db31
4da0ac4c3f47f69c992abb5d6e9803348bf9f3c6028a7214dcabec9a2e729b99
52.202.193.124
588cdbd3ee3594525eb62fa7bab148f6d7ab000737fc0c311a5588dc96794acc
5c2f339362d0cd8e5a8e3105c9c56971087bea2701ea3b7324771b0ea2c26c6c
6310cd9f8b6ae1fdc1b55fe190026a119f7ea526cd3fc22a215bda51c9c28214
63bae252d796bc9ac331fdc13744a72bd85d1065ef41a884dc11c6245ea933e2
69bac736f42e37302db7eca68b6fc138c3aa9a5c902c149e46cce8b42b172603
7d7dc8125a26d9515d90a66bfd20d609820197c879030cb932d39b1c2998e9d4
868a62feff8b46466e9d63b83135a7987bf6d332c13739aa11b747b3e2ad4bbf
87f389d8f3a63f0879aa9d9dfbbd2b2c9cf678b871b704a01b39e1eaa234020c
8b3c8046fa776b70821b7e50baa772a395d3d245c10bdaa4b6171e0c5ce3f717
9137e886e414b12581852b96a1d90ee875053f16b79be57694df9f93f3ead506
ab194f2bad37bffd32fae9833dafaa04c79c9e117d86aa46432eadef64a43ad6
b0d6aee39e988196fdc821895a1f1aa63d1c032ea880c26a15c857068f34bfd9
b59e8f44822ad6bc3b4067bfdfd1ad286b8ba76c1a3faff82a3feb7bdf96b9c5
bbddcb280af742ce10842b18b9d7120632cc042a8fe42eed90fc4bc94f2d71ac
d0fa0bfef8b199a42f4f33145274576e5a7edeb5522fb342af41fdc16e9021e2
d231f3b6d6e4c56cb7f149cbc0178f7b80448c24f14dced5a864015512b0ba1f
d26987b705f537b10a11fb9913d0acc0218a0c0ae5f27e6f821d6d987b1cd4c7
da787cf1f4fd829dd4a7637bec392438b793c5f9c920560197545d20b58691af
e83f5e0a51845d7078a3aca8ca7a5b786e8bdf284efd3e08b3472dbf3e098930
ebe4befd2a7f941baa65248d5dea09de809e638ec8e8caffae322aa3b6863c1c
ed11e94fd9aa3c7d4dd0b4345c106631fe52929c6e26a0daec2ed7d22e47ada0
ed5fbefd61a72ec9f8a5ebd7fa7bcd632ec55f04bdd4a4e24686edccb0268e05
f0ff67d4d34fe34d52a44b3515c44950
f13aff9e1192c081c012f974b29bf60487385eed644d506d7f82b3538c2b035f
f32f6b229913d68daad937cc72a57aa45291a9d623109ed48938815aa7b6005c
f40d387631ddb0db70128e72239d0cae7a22b2135c0ec0d540e018aa727d4c8e
f4765f7b089d99b1cdcebf3ad7ba7e3e23ce411deab29b7afd782b23352e698f
f62adc678eaadc019277640e6695143a45336c2f91019f5d9308812db1d07285
fec82f2542d7f82e9fce3e16bfa4024f253adee7121973bd9d67a3c79441b83c
http://mail.namusoft.kr/jsp/user/eam/board.jsp
http://mail.neocyon.com/jsp/user/sms/sms_recv.jsp
http://mail.sisnet.co.kr/jsp/user/sms/sms_recv.jsp
http://snum.or.kr/skin_img/skin.php
http://www.allamwith.com/home/mobile/list.php
http://www.conkorea.com/cshop/banner/list.php
http://www.ddjm.co.kr/bbs/icon/skin/skin.php
http://www.jinjinpig.co.kr/Anyboard/skin/board.php