Establishing the TigerRAT and TigerDownloader malware families

2021-12-22 • Threatray •

https://threatray.com/blog/establishing-the-tigerrat-and-tigerdownloader-malware-families/

#Andariel #TigerRAT #T1041 #T1113 #T1071.001 #T1056.001 #T1059.007 #T1204.002 #T1057 #T1583.003 #T1566.001 #T1036.005 #T1497.001 #T1486 #T1573.001 #T1189 #T1049 #T1095 #T1027.003 #T1584.006

Thumbnail for Establishing the TigerRAT and TigerDownloader malware families

ThreatRay links malware samples from Malwarebytes, Kaspersky, and KrCERT reporting on South Korea-focused activity to shared TigerDownloader and TigerRAT families. The earlier reports attributed the activity to Lazarus or more specifically Andariel, a Lazarus subgroup, while KrCERT named the ByteTiger operation and introduced the TigerDownloader and TigerRAT labels. Code-reuse analysis found common packer functionality across 27 packed samples, including payload mapping, anti-analysis checks, unpacking, dynamic Windows API resolution, and junk-code insertion for detection evasion. The shared packing scheme used XOR decryption with a 16-byte key and variants based on Base64 encoding and PE payload storage, while the unpacked payloads clustered into downloader and RAT families with multiple variants. The findings help defenders connect malicious documents, compromised-website delivery, downloader stages, RAT payloads, and reported ransomware deployment under a clearer Andariel tooling map.

Indicators of Compromise

Type	Value	First Seen	Last Seen
HASH	f32f6b229913d68daad937cc72a57aa…	2021-12-22	2024-12-13
HASH	868a62feff8b46466e9d63b83135a79…	2021-12-22	2024-12-13
HASH	1f8dcfaebbcd7e71c2872e0ba2fc6db…	2021-12-22	2023-02-09
IPv4	52.202.193.124	2021-12-22	2022-09-07
HASH	9137e886e414b12581852b96a1d90ee…	2021-12-22	2021-12-22
HASH	d231f3b6d6e4c56cb7f149cbc0178f7…	2021-12-22	2021-12-22
HASH	d26987b705f537b10a11fb9913d0acc…	2021-12-22	2021-12-22
HASH	f13aff9e1192c081c012f974b29bf60…	2021-12-22	2021-12-22
HASH	fec82f2542d7f82e9fce3e16bfa4024…	2021-12-22	2021-12-22
HASH	8b3c8046fa776b70821b7e50baa772a…	2021-12-22	2021-12-22
HASH	4aadf767491077ab83c6436cf108b01…	2021-12-22	2021-12-22
HASH	bbddcb280af742ce10842b18b9d7120…	2021-12-22	2021-12-22
HASH	1892b72c053ab48edae8305ef449f2b…	2021-12-22	2021-12-22
HASH	008e906f2727d502f130a549eeebfda…	2021-12-22	2021-12-22
HASH	ab194f2bad37bffd32fae9833dafaa0…	2021-12-22	2021-12-22
HASH	ebe4befd2a7f941baa65248d5dea09d…	2021-12-22	2021-12-22
HASH	588cdbd3ee3594525eb62fa7bab148f…	2021-12-22	2021-12-22
HASH	4da0ac4c3f47f69c992abb5d6e98033…	2021-12-22	2021-12-22
HASH	da787cf1f4fd829dd4a7637bec39243…	2021-12-22	2021-12-22
HASH	464eaa82103f6f479e0d62dd48d2dab…	2021-12-22	2021-12-22
HASH	5c2f339362d0cd8e5a8e3105c9c5697…	2021-12-22	2021-12-22
HASH	0996a8e5ec1a41645309e2ca395d3a6…	2021-12-22	2021-12-22
HASH	49a13bf0aa53990771b7b7a7ab31d68…	2021-12-22	2021-12-22
HASH	0dc3f66f4af3250f56a32f8e1b9e772…	2021-12-22	2021-12-22
HASH	87f389d8f3a63f0879aa9d9dfbbd2b2…	2021-12-22	2021-12-22
HASH	f62adc678eaadc019277640e6695143…	2021-12-22	2021-12-22
HASH	d0fa0bfef8b199a42f4f33145274576…	2021-12-22	2021-12-22
HASH	e83f5e0a51845d7078a3aca8ca7a5b7…	2021-12-22	2021-12-22
HASH	63bae252d796bc9ac331fdc13744a72…	2021-12-22	2021-12-22
HASH	7d7dc8125a26d9515d90a66bfd20d60…	2021-12-22	2021-12-22
HASH	ed11e94fd9aa3c7d4dd0b4345c10663…	2021-12-22	2021-12-22
HASH	b0d6aee39e988196fdc821895a1f1aa…	2021-12-22	2021-12-22
HASH	f40d387631ddb0db70128e72239d0ca…	2021-12-22	2021-12-22
HASH	2f53109e01c431c1c1acec667adee07…	2021-12-22	2021-12-22
HASH	69bac736f42e37302db7eca68b6fc13…	2021-12-22	2021-12-22
HASH	f0ff67d4d34fe34d52a44b3515c44950	2021-12-22	2021-12-22
HASH	0e447797aa20bff416073281adb09b7…	2021-12-22	2021-12-22
HASH	f4765f7b089d99b1cdcebf3ad7ba7e3…	2021-12-22	2021-12-22
HASH	1177105e51fa02f9977bd435f906612…	2021-12-22	2021-12-22
HASH	b59e8f44822ad6bc3b4067bfdfd1ad2…	2021-12-22	2021-12-22
HASH	4d03a981bed15a3bd91f36972d7391b…	2021-12-22	2021-12-22
HASH	350082b3f14e130c6337ef88d46d54d…	2021-12-22	2021-12-22
URL	http://mail.neocyon.com/jsp/use…	2021-12-22	2021-12-22
DOMAIN	mail.neocyon.com	2021-12-22	2021-12-22
HASH	6310cd9f8b6ae1fdc1b55fe190026a1…	2021-11-01	2021-12-22
URL	http://mail.sisnet.co.kr/jsp/us…	2021-06-15	2021-12-22
URL	http://www.allamwith.com/home/m…	2021-06-15	2021-12-22
URL	http://www.conkorea.com/cshop/b…	2021-06-15	2021-12-22
DOMAIN	mail.sisnet.co.kr	2021-06-15	2021-12-22
IPv4	45.58.112.77	2021-06-15	2021-12-22
IPv4	185.208.158.208	2021-06-15	2021-12-22
IPv4	23.229.111.197	2021-06-15	2021-12-22
URL	http://snum.or.kr/skin_img/skin…	2021-05-10	2021-12-22
URL	http://www.ddjm.co.kr/bbs/icon/…	2021-05-10	2021-12-22
DOMAIN	snum.or.kr	2021-05-10	2021-12-22
HASH	ed5fbefd61a72ec9f8a5ebd7fa7bcd6…	2021-04-19	2021-12-22
URL	http://www.jinjinpig.co.kr/Anyb…	2021-04-19	2021-12-22
URL	http://mail.namusoft.kr/jsp/use…	2021-04-19	2021-12-22
DOMAIN	mail.namusoft.kr	2021-04-19	2021-12-22

Related Actors

Andariel

FSI

First seen: Jul 2017

Last seen: May 2026

Related Reports

2021-06-15 • 62% Match

Andariel evolves to target South Korea with ransomware

Kaspersky

#Andariel #Ransomware #Manuscrypt #T1041 #T1113 #T1071.001 #T1059.007 #T1204.002 #T1057 #T1583.003 #T1566.001 #T1036.005 #T1497.001 #T1486 #T1573.001 #T1049 #T1095 #T1027.003 #T1584.006

Shares tags: Andariel, T1041, T1113 • Shares 13 IOCs

2024-07-19 • 42% Match

APT Quarterly Highlights : Q2 2024

Cyfirma

#Trend #Andariel #Kimsuky #MoonstoneSleet #Lazarus #T1082 #T1059.003 #T1090 #T1140 #T1005 #T1070.004 #T1041 #T1113 #T1555 #T1560 #T1071.001 #T1046 #T1112 #T1115 #T1083 #T1497 #T1056.001 #T1036 #T1027 #T1204.002 #T1566.002 #T1555.003 #T1071 #T1124 #T1222 #T1552 #T1057 #T1583.003 #T1518.001 #T1547.001 #T1053.005 #T1539 #T1608.005 #T1583.001 #T1059.001 #T1053 #T1552.001 #T1566 #T1059 #T1003 #T1497.001 #T1102.001 #T1574.002 #T1562.001 #T1490 #T1486 #T1129 #T1133 #T1571 #T1548 #T1190 #T1203 #T1564.001 #T1087 #T1562.004 #T1218.011 #T1070.006 #T1547 #T1068 #T1614 #T1573 #T1095 #T1562 #T1070 #T1047 #T1056 #T1176 #T1010 #T1033 #T1569.002 #T1543.003 #T1485 #T1012 #T1202 #T1087.002 #T1021.004 #T1222.001 #T1518 #T1564.003 #T1505.003 #T1069.002 #T1564 #T1595.002 #T1027.005 #T1070.001 #T1056.004 #T1584

Shares tags: Andariel, T1041, T1113

2021-12-02 • 42% Match

APT Profile: Who is Lazarus Group?

SOCRadar

#Lazarus #T1102.002 #T1082 #T1059.003 #T1567.002 #T1140 #T1584.004 #T1005 #T1070.004 #T1587.001 #T1041 #T1560 #T1608.001 #T1071.001 #T1046 #T1083 #T1056.001 #T1204.001 #T1036 #T1027 #T1204.002 #T1566.002 #T1566.003 #T1124 #T1057 #T1059.005 #T1583.006 #T1566.001 #T1547.001 #T1585.002 #T1053.005 #T1583.001 #T1059.001 #T1036.005 #T1132.001 #T1001.003 #T1585.001 #T1497.001 #T1105 #T1553.002 #T1620 #T1574.002 #T1562.001 #T1027.002 #T1489 #T1078 #T1008 #T1573.001 #T1571 #T1491.001 #T1218 #T1220 #T1203 #T1189 #T1049 #T1564.001 #T1098 #T1016 #T1074.001 #T1588.002 #T1562.004 #T1591 #T1218.011 #T1583.004 #T1036.004 #T1588.003 #T1593.001 #T1218.005 #T1589.002 #T1584.001 #T1070.006 #T1048.003 #T1134.002 #T1027.007 #T1021.001 #T1106 #T1090.001 #T1070 #T1047 #T1574.013 #T1561.001 #T1036.003 #T1529 #T1055.001 #T1614.001 #T1010 #T1021.002 #T1033 #T1543.003 #T1485 #T1090.002 #T1542.003 #T1560.002 #T1012 #T1110 #T1547.009 #T1110.003 #T1534 #T1588.004 #T1104 #T1591.004 #T1561.002 #T1608.002 #T1202 #T1221 #T1557.001 #T1087.002 #T1560.003 #T1070.003 #T1021.004 #T0865

Shares tags: T1041, T1071.001, T1056.001 • Published within a month

2021-09-29 • 38% Match

Andariel

MITRE

#Andariel #G0138 #T1005 #T1027 #T1204 #T1057 #T1566 #T1105 #T1588 #T1590 #T1203 #T1189 #T1592 #T1049

Shares tags: Andariel, T1057, T1189

2022-12-22 • 34% Match

Emulating the Politically Motivated North Korean Adversary Andariel

Attack IQ

#Andariel #T1082 #T1041 #T1071.001 #T1083 #T1057 #T1547.001 #T1053.005 #T1036.005 #T1105 #T1486 #T1049 #T1016 #T1074.001 #T1218.011 #T1218.010 #T1217 #T1033 #T1012 #T1120 #T1016.001 #T1197

Shares tags: Andariel, T1041, T1071.001

2021-11-29 • 34% Match

ScarCruft surveilling North Korean defectors and human rights activists

Kaspersky

#Scarcruft #Chinotto #T1082 #T1140 #T1041 #T1113 #T1071.001 #T1059.005 #T1566.001 #T1547.001 #T1059.001 #T1036.005 #T1573.001 #T1033 #T1560.002 #T1584.006

Shares tags: T1041, T1113, T1071.001 • Published within a month

« Back