apt attack

Iron Tiger updates Toolkit

Researchers discovered that the Iron Tiger group has updated its tool library and added a new method of launching malicious software. It also uses a new rootkit that hides backdoor programs. The group previously carried out malicious activities against Southeast Asian gambling and betting companies. Recently, researchers have found evidence that the group is still interested in the gambling industry.

Iron Tiger, also known as LuckyMouse, Emissary Panda and APT27), is a very mature cyber espionage organization that has been active since at least 2010. In the beginning, the main target of the group was the Asia-Pacific region,

In 2019, security services and system integration company Talent-Jump discovered several variants in a gambling company during an incident response operation. This attack was called Operation DRBControl.

From 2020 to 2021, Talent-Jump discovered a new sample of the family attributed to the group .

When investigating the DRBControl operation in 2019, it discovered links between the group and multiple threat groups:

Iron Tiger, which uses HyperBro Trojans and some infrastructure links to
Winnti, which uses the same infrastructure and code sharing links as described in the report

Bronze President, a threat group targeting non-governmental organizations (NGOs). As early as 2019, researchers named a new family believed to be the group “Type 2”.

After the report was released, the researchers found that the two malware families described in the report are the same as the “RCSession” malware family described in a blog published by Dell Secureworks in December 2019. After finding multiple tools belonging to Iron Tiger, the new malware family discovered by the researchers in the Operation DRBControl investigation is likely to come from the same threat group.

Researchers found a sample in December 2020, which was identified as the SysUpdate malware family, which is also known as Soldier, FOCUSFJORD and HyperSSL. The NSys Group team first described SysUpdate in 2018.

iron tiger

Infection chain of old and new SysUpdate

The following timeline shows the different samples found in the same gambling company surveyed by Talent-Jump and Trend Micro:

July 2019: Operation DRBControl began.
October 2019: A HyperBro malware sample
was found. March 2020: A new type 1 malware variant sample and a rootkit named Pandora were discovered.
April 2020: Found a rootkit example for hiding file processes, files and services
October 2020: Found new HyperBro and Pandora samples
December 2020: Found a sample of the SysUpdate malware variant
2021 January: Discovered Fast Reverse Proxy (FRP) Linux tool

IOCs

103.79.78.48
104.209.198.177:443
107.148.131.210:443
34.93.247.126
35.220.135.85:443
45.142.214.188
47.75.49.32:443
85.204.74.143:443
35.187.148.253:443
139.180.208.225:443
139.59.81.253
89.35.178.105:443
35.187.148.253:443
89.35.178.105:443


62cdc7d02c332c4aae1b3aaaba8386ee
0586cdd695c8b45a27b1991cbc5c1331
6930bd66a11e30dee1ef4f57287b1318
8ab70d92ff48ef6af9ab17bddc2aa512
d0b1ba562ec717c61e39ccfbb1add1c7
a18f57d718f2ed081ebcf1e019e9e729
113044788a356aab6c693a3e80189141
bea93d0a13face4f55d224a8fc437895
f0d42ce1e6dace43ec762b9b4e1bb7be
74618912c71dfafbfff5986ffb0e6e6a
b6eb15c9d9c10eb399ad9d0adcbdc0d0
7655ff65f74f08ee2c54f44e5ef8f098
bc65327315a5345117ce8d8fb0876976
3373c4a9afb33e6310f333ed31cb44fb
ad72e6cf7bfa37a2bae835c5d5d1e96f
9a1bfe3002e64c70bdf8271c44a3ced9
024532bf713d38535de985d42d16a8b5
d252d59cd00e209f22f9c5918e47c1de
ab91f40ba93e134127a13d5c76017b7b
b1ae0b876157619e1fda55591f4c3466
737c71870addb643a812c0a91af31b97
4bd9ee5c7e5b2f845f9ceeab538a93bc
c4f4bb1c1c26890a4c4a34ac073bc2a3
f67e2e68bbe38f582a228694b8ca3ef2
3ae4d1891109e8544d29a0f7f1fdac91
90caeeab2aa20bc6f10688da9741c3b4
3f57b0b235a0e3669deaca39468e1e30
b0c5707d71bc804eaffea06e0b048592
fd88085f65e74b87671b90bea688b0a3
92462f38eb4e9d1c75676f83548ce637
fc338f08246e9d0ec921cc69b4f0e69f
ac431261b8852286d99673fddba38a50
798b9dba55c2ca8349635915c69d4a5e
90dd242ca25270b3997d4d8a66e4ec2e
465f1ca319873cfe280fe80308338750
625dd9048e3289f19670896cf5bca7d8
a5862f5701542a36354dbf17d52f1e4a
cba27fd14118708936ec0996e6c7ba031087752a
708847b5c92c6538d1f9f5d85c9046cf518fff21
ddee9282bab537136f563f3c93856e5793ab9e5a
2b128c2a124e175649426ab305ad4a52015a2695
6611459c1c394994087a0a488205063332acd2e1
05bb4128c83593cb970308811aa3009105db98aa
ba835af7b8aa51797f95223676640be9c81dad9f
3a5d1fb37da6a41c677161dab568f7b8ac07bdda
1570aaabe6292667b834a6d533cbf3bd3642baea
b7fe5cb2ffdc6d6a4af541a51652af06665ce9ad
ecdca0d0056bfd1a6a7269120e3f4104fc6aaa10
3c7beb8978feac9ba8f5bab0656242232471bf7d
337971d20f148b92dc7f4e7d4a0662f6c36eee38
c9c6b49a044d2df97a7aba4dbc0a1047a01cf034
725e1300954e29a748499f730065e55960130547
a3bc69e93fda6231685364ecf39197bc4cadf891
2068191ffaea43b80cd4c18f9a95f24c27239eba
157185c1fbcea294a529f1b8ed66377942d01b89
c40ad5da03bdf67422612264b39f42ec8d700d59
1800651d0b5a184dd8658f18dc520766c7ff9353
ecfaa525234b65fda69c669c2c9cf2a298928d73
d86290a210a18db0ebc35cca861081983fe445cb
d886318db6532405724f870fcf4deb046f6f9f4c
ad268d0852a2fd1234c35797e1aac57d1dae7838
8e4d0a89b0a102577b826d896d385eb334545302
44840f065ab94591c2bfc0ae30f5be3e63306f77
cb3d32ed72000a403a4136dd16a0be385e215083
cf248285287f7089cfd6d1ec211d667a3212d51b
eb33fe7e018f926086c21dcd0f1d722c3fb36f2c
c28abdc3e2f4e30995b1acbd85c17dd64141c90c
ffe1f58785803c9adb81dfa60e9b1fccf012ccc7
765cebd9e46f5c511611a09d5ee78b2daba16a9e
d5bfb52e8abae4db2005007327e5ecddd5f22f88
5be0f01c51ad5081c07cc5a1fc4ab051619494bf
fe6738ee782504e1b9f00aa619e8318e7f256eaa
4617c9f7781d584996875fe0bf5ad198bcf392a5
60905e04d076469a23f6f420bd22bb2f506950e7
10ca2b47daaadb716b12a2b071de01e86c902e11263dc39e396be642adf369ce
36fad80a5f328f487b20a3f5fc5f1902d50cbb1bd9167c44b66929a1288fc6f4
3e04eb55095ad6a45905564d91f2ab6500e07afcdf9d6c710d6166d4eef28185
4123a19cda491f4d31a855e932b8b7afdcf3faf5b448f892da624c768205a289
434cbc840f64033d64f76de7234afb05fddf582195c68bf8f786dd22daaa11
15d404e03f1335a3e4a9e691a3f57b3765823249d5f28a23a728dab6f19cedc0
1ac0be7d289f2bbd00979069b9d3bf6ac76c0828c0ca7674ec791cdb463b8ff0
1b07b070eeec2744c7be733590a5694cd1ee9e967249a8efa50d3243468aa7b1
244cc119ec1e77262f48dc5d2fc285ed4904b30b44ea28bf41f531cfb75cff99
310524c47128a0095a923aea045db3b0bb999af41a77953667f2d812e6f08634
0aef64991f9121a244c3f3bf7f5448bb8fb2c858bcf0ff26b3b663937af9ef40
0e3cc4de26f59e4bee6760bdb1fb8cb9f48dc18aad1d8909c736a1a12841e1dd
0e4becf70bb3c624b24d38f44bf92bd510f0ff718df2e3db8b71ef009189f072
4f01ccf39dd17b3820b3ae2c650dab8d508254db6022b4aacf43d908e0fec678
4f6987f39b14372d724086cbafc87de37d4b0f78491af93de1161f0b6ed413a7
4fce3d38e0a308088cd75c2ef1bb5aa312e83447d63a82f62839d3609a283b02
52072a8f99dacd5c293fccd051eab95516d8b880cd2bc5a7e0f4a30d008e22a7
5665fbb579e72e5b7a891389181c1cd9c6162bc684948483f1a0a685c134d848
5a98c49b4e5d980bc8078cbbd8899397e95a488234a87a12813fe437c585600f
5cae9a425ed6a030390e7b104bf49836b0a1bdd86c0d345ce7a74b2207807459
5d7ceaa3947d08636070f102772190ce7267d8f7d8e9fd58b29573b229de6599
601a02b81e3bd134c2cf681ac03d696b446e10bf267b11b91517db1b233fec74
69f1914582f66ed216369d3a95842d58de9dffdbe8ae98712513c4ce142658ea
6e1e74b0a064cc7d9aba8e485417632d7a55e0ff4ba9b078358ce9dd8b85ece4
734373b9d486c0a29a5b849f65cc060f461c471f318b61e122d813432a0bb752
74780cd444b41d2fc8438f71528923d3ab297deed0fd1588d6d0c6707aecdc13
788bd34d3c5d12b9767f8ac5587f1970597c47fb06713a6070d430a593bb4945
7b007e0989e57e4507888cbb7ddd1c59002ba9e2071c36ac2e6d8e44648cda11
7fa187c76316a428b0d0cecb8e5e12893a2b020fecde540246bb30d7f8868199
809aa69cd6c335f100baef5fa7897b153762e527bb811d2c570e8b3c7448f3b6
80fc8917c91c132e5274319013a4b659e435e8de8abf655cf3482798acb8650a
83406f39147b01136bf9b3b88a1ec1a9339cd9d0cbcfa2a2583e3f97ad852287
9000ce3c0e01b6c80edb3af87aad8117513ce334135aa7d7b1c2afa067f4c4ab
900d6356e8a35f8fa6477cbc6a6bc79aa7a08c73773809965398b399d6833a5b
91ac0dcb290f3d32a6607f2a21f0b2df4d413c3f44923bec8ce9466131dde8b0
92bbcb5461ab5959e31f997a6df77995377d69f8077e43e5812fcbe9303d831c
92d53b227eac5ba0935726c86d8f0f456ab8429473bca4f68858448e92c6fade
942213df53d2c84a0efdd7c6a72ea4767cb4fa5f339bd86f7188be605818904e
999b1e31893d02dcef20a3846ad7e96153b0057b960488ad8b07c4d9c33d099e
9ae06dee8248c9e794e0ebae3274b25b280219068b73923783eb7dfea1358ec1
a4c7fe8278be79ce0bb0eca168412d5d25305dfc71b062af91e8cabbc8164783
a5d8cae9de9edf81d4898879b09c16d6afd12f1bdc320acdbc5c8a430831e55b
ab6998352fc0d745af94f02e42f8c3f061a99179fce2c890760f293f9744d1e8
af31c16dcd54ee11d425eb3a579ad0606a05b36c0605cc16007f3d3c84d8e291
b39e2cf333b9f854bcdf993aa6c1f357d2a7042139e4c6ca47ed504090006a61
b945275314566e970c078316d9039171246b8ecbbe57cd424f1f486782d5aa61
d396eecf91cb35bc96d740e3d4aa7cac1143a98c3e185980731a48b1aad0bfd9
d40414b1173d59597ed1122361fe60303d3526f15320aede355c6ad9e7e239af
d474198fd5ab7800cf00afbff16b258493529bc0e8451fb9382250a15ae29edb
e05e853cca1a8e9c8b1674f59c27b562887742f3110499f8ff38d0d287f0e7de
e123481468938fd56eeb506148db923033c3b1ed1d09088640fcf9031cd583c9
e21360d6411ec9a719789e0f82dad5e380ee4a81faa3ebc072c8779e2a1da5ed
e657b213e87e1066de110cb4010e1c57250ebe46f08d2b9abc99a1b7c3e2d0dc
e74056a729e004031b78007708bb98d759ff94b46866898c5a05d87013cd643c
ef51b08234488b6cb51eb949dff5b7421e9a040f73c10a40d5320dac561d944f
f944aa7f829f4129953e42026649179fc741def0dbd04d2cd5285501f8d4af5e
f9f3cdf8cca3cb138be71066314b1d6431de52a647b067efa87b2df7a9a3ae50
fee067f6fe10f4d3f49fd082a2eb48619c4d43fc98bc689b3740cb862ff77d24