Open Hunting - Threat Library

Openhunting Threat Library

TigerRAT

TigerRAT, Tiger RAT

(Type: Backdoor)

(Talos) The second implant hosted on MagicRAT's C2 is a remote access trojan (RAT) known as TigerRAT. TigerRAT is an implant disclosed in 2021 by KISA and KRCERT as part of 'Operation ByteTiger'' detailing TigerRAT and its downloader 'TigerDownloader.' This implant consists of several RAT capabilities, ranging from arbitrary command execution to file management.

[News Analysis] Trends:

Total Trend: 12

Trend Per Year

2021

2022

2023

Trend Per Month

Jun 2021

Jul 2021

Sep 2021

Nov 2021

Dec 2021

Sep 2022

Jan 2023

Feb 2023

Aug 2023

Nov 2023

[News Analysis] News Mention Another Threat Name:

[TTP Analysis] Technique Performance:

reconnaissance

0/43

resource development

0/45

initial access

0/19

execution

1/36

persistence

1/113

privilege escalation

1/96

defense evasion

0/184

credential access

0/63

discovery

0/44

lateral movement

0/22

collection

0/37

command and control

0/39

exfiltration

0/18

impact

0/26

[TTP Analysis] Mitre Attack Matrix:

TA0043	TA0042	TA0001	TA0002	TA0003	TA0004	TA0005	TA0006	TA0007	TA0008	TA0009	TA0011	TA0010	TA0040
Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
			T1053.002 Scheduled Task/job : At	T1053.002 Scheduled Task/job : At	T1053.002 Scheduled Task/job : At

[Infrastructure Analysis] Based on Related IOC:

IP:Port	Timestamp

Domain	Timestamp

URL	Timestamp

[Target Analysis] Region/Sector:

No information

References:

News Basic Information Indicator of Compromise Mitre Attack

News Article (Credit @Malpedia)

Detection of attacks exploiting asset management software (Andariel Group)

2023-11-10 by ASEC Analysis Team from AhnLab

Analysis of Andariel’s New Attack Activities

2023-08-31 by Sanseo from AhnLab

Analyzing the new attack activity of the Andariel group

2023-08-22 by ASEC Analysis Team from AhnLab

#StopRansomware: Ransomware Attacks on Critical Infrastructure Fund DPRK Malicious Cyber Activities

2023-02-09 by NSA from

Emulating the Highly Sophisticated North Korean Adversary Lazarus Group

2023-01-05 by Francis Guibernau from AttackIQ

MagicRAT: Lazarus’ latest gateway into victim networks

2022-09-07 by Jung soo An from Cisco Talos

Establishing the TigerRAT and TigerDownloader Malware Families

2021-12-22 by Markel Picado Ortiz from Threatray

TigerRAT – Advanced Adversaries on the Prowl

2021-12-03 by VMWare from vmware

Analysis Report of Lazarus Group’s NukeSped Malware

2021-11-10 by ASEC Analysis Team from AhnLab

TTPs#6 Targeted Watering Hole Attack Strategy Analysis (SILENT CHOLLIMA)

2021-09-02 by KrCERT from KrCert

Visual investigations - Speed up your IR, Forensic Analysis and Hunting

2021-07-15 by Mathieu Gaucheler from BrightTALK

Andariel evolves to target South Korea with ransomware

2021-06-15 by Seongsu Park from Kaspersky

Basic Information (Credit @etda.or.th)

Tool: TigerRAT

Names: TigerRAT, Tiger RAT

Description: (Talos) The second implant hosted on MagicRAT's C2 is a remote access trojan (RAT) known as TigerRAT. TigerRAT is an implant disclosed in 2021 by KISA and KRCERT as part of 'Operation ByteTiger'' detailing TigerRAT and its downloader 'TigerDownloader.' This implant consists of several RAT capabilities, ranging from arbitrary command execution to file management.

Category: Malware

Type: Backdoor

Information: https://blog.talosintelligence.com/2022/09/lazarus-magicrat.html

Malpedia: https://malpedia.caad.fkie.fraunhofer.de/details/win.tiger_rat

Last-card-change: 2022-12-28

Source: https://apt.etda.or.th/cgi-bin/listtools.cgi

TTP Info (Credit @Mitre)

TA0043	TA0042	TA0001	TA0002	TA0003	TA0004	TA0005	TA0006	TA0007	TA0008	TA0009	TA0011	TA0010	TA0040
Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
			T1053.002 SCHEDULED TASK/JOB : AT at can be used to schedule a task on a system to be executed at a specific date or time.	T1053.002 SCHEDULED TASK/JOB : AT at can be used to schedule a task on a system to be executed at a specific date or time.	T1053.002 SCHEDULED TASK/JOB : AT at can be used to schedule a task on a system to be executed at a specific date or time.