Operation “PZCHAO” – Going back to Iron Tiger

Chili Ivona-Alexandra , Malware Researcher ,  Bitdefender

Nowadays attacks observed in the wild tend to become more and more complex and the actors prefer to divide them across multiple modules, each with a well-defined purpose in order to assure the target’s compromise. The focus of such attacks shifted from damaging the target’s system to stealing confidential data, silently monitoring the system and constantly preparing for a new wave of attacks.

During the past few month, we have observed and analyzed a new custom built malware, that has been quickly spreading, mainly targeting the continent of Asia. Indicators of compromise first entered our systems on July 17, representing the debut of the future spreading campaign. The payloads extracted from the attack seemed very similar, at first, with the ones distributed by the Gamaredon Group in terms of packing techniques, download tools used and system infection routine through batch script files. But, the behavior and the target of these two groups was far from being the same, having no strong evidence of affiliation, so far.

An interesting fact that challenged our team into analyzing this threat, is that this group features a network of malicious subdomains, each one of them being used for a specific task (download, upload, RAT related actions, malware DLL delivery). The payloads are very diversified and include capabilities of downloading and executing additional payloads, collecting private information and remotely executing commands on the system.

During the analysis, we managed to retrive the malware payloads hosted on their http file download server, along with some statistics such as the total number of downloads and logs containing the targeted victims. Among the most downloaded malicious files, we found variants of Gh0st RAT used in Iron Tiger APT operation, now contacting this new infrastructure.
This paper covers the attack chain, the infrastructure used by the threat actors, the malware subdomains they control, the payloads delivered on the targeted systems and indicators that point to a return of Iron Tiger APT.

Chili Ivona-Alexandra

Chili Ivona-Alexandra is a malware researcher at Bitdefender AV company who has recently graduated the university of Computer Science Al. I. Cuza Iasi and is currently following bachelor degree studies. With two and a half years of experience in malware reversing, she aspires to become a professional in the field of cyber security. She considers that working in this domain is a challenge that drives an individual into learning interesting things that cover a wide range of technical skills. While not dissecting malware she likes to spend her time playing tennis or enjoying a good movie.