APT Groups Lured by Silent Cryptocurrency Miners

February 14, 2018

Iron Tiger is the name of a hacking group that is believed to have launched its first cyberattack campaign way back in 2010. At first, their targets were primarily based in East Asia, but later, they also hit organizations in North America. Iron Tiger are classified as an APT (Advanced Persistent Threat) group because of the wide range of capabilities displayed by the malware they're using and the highly targeted nature of their attacks.

When people hear of APT groups, they often think of highly talented teams of hackers backed by clandestine government institutions. The general assumption is that they have significant financial resources at their disposal because writing and distributing sophisticated malware doesn't come cheap. In that respect, Iron Tiger might be a little bit different.

Back in July 2017, researchers from BitDefender started monitoring a campaign against several targets located in Asia and North America, and they reckon that it marks the return of the Iron Tiger APT team. The attack is aimed at government agencies and organizations working in the technology, education, and telecommunications industries, and the experts named it Operation PZchao, after the domain name of one of the C&C servers.

The attack chain starts with a carefully crafted spear phishing email that comes with an attached VBS file. The VBS reports the successful infection to the C&C, establishes persistence, and downloads four additional payloads.

Two versions of the Mimikatz penetration testing tool are deployed. Their job is to steal passwords, and the exfiltration of the sensitive information happens weekly at 3 AM when nobody's looking at the network traffic.

In addition to the Mimikatz samples, the first stage payload also downloads and runs a modified version of the Gh0stRAT remote access trojan, which basically gives the threat actors complete control over the victim machine. With it, they can:

  • View the list of running processes
  • Log keystrokes
  • Spy on victims through the web camera and microphone
  • Shutdown and reboot the PC remotely
  • Execute shell commands
  • View and modify files on the hard drive
  • Download and execute additional files from the Internet

The combination of the Mimikatz password stealer and the Gh0stRAT trojan makes the whole operation possible, and techniques like masking the malicious processes as products made by Adobe and Oracle minimizes the chances of detection. Nevertheless, Iron Tiger's campaign involves one more payload, and it's a surprising one.

It's a Bitcoin miner. Apparently, the people that launched Operation PZChao decided that in addition to spying on their targets, they can make a few quick dollars by harnessing their victims' hardware to generate digital money. Once again, the miner is designed to spring into action only once every three weeks at 3 o'clock in the morning so that users won't notice the performance impact.

As you probably know, mining software that silently generates cryptocurrency on victims' computers has become increasingly trendy among cybercriminals. This is perhaps the first time we've seen an Advanced Persistent Threat group use one, though. It could indicate that Iron Tiger's backers aren't powerful enough to supply the necessary funds to sustain the operation. Alternatively, it could mean that the hackers are just greedy.

Leave a Reply

IMPORTANT! To be able to proceed, you need to solve the following simple math.
Please leave these two fields as is:
What is 3 + 9 ?