Iron Tiger updates malware to target Linux platform

Iron Tiger, an advanced persistent threat (APT) group, has updated their SysUpdate malware to include new features and add malware infection support for the Linux platform, according to a report by Trend Micro.

The earliest sample of this version was observed in July 2022 and after finding multiple similar payloads in late October 2022, Trend Micro researchers started looking into it and found similarities with the SysUpdate malware family.

Iron Tiger is a group of China-based threat actors who have been seen active since 2013. In their initial operations they were seen stealing terabytes of confidential data from employees of high-technology companies in the US. The group has made the loading logic of the latest malware variant complex to evade security solutions.  

The Linux SysUpdate

The latest malware variant is written in C++ using the Asio library, and its functionality is very similar to Iron Tiger’s Windows version of SysUpdate. SysUpdate malware has functions that can carry out system services, grab screenshots, browse and terminate processes, retrieve drive information, execute commands, and can find, delete, rename, upload, and download files as well as peruse a victim’s file directory, the Trend Micro report said. 

While investigating SysUpdate’s infrastructure, researchers found some ELF files linked to some command and control servers. “We analyzed them and concluded that the files were a SysUpdate version made for the Linux platform,” the report said. 

The ELF samples shared common network encryption keys and had many similar features such as the file handling functions. “It is possible that the developer made use of the Asio library because of its portability across multiple platforms,” the report said. 

In the Linux version there is an additional feature that carries out command and control communication through DNS TXT requests. “While DNS is not supposed to be a communication protocol, the attacker abuses this protocol to send and receive information,” the report said.

While the initial infection vector is not known, it was observed by the researchers that chat apps were also used to lure and trick victims into downloading the infection payload. Once successfully downloaded, the malware sends back information such as GUID, host name, username, local IP address and port used to send the request, current PID, kernel version and machine architecture, and current file path to the command and control servers. 

One of the victims of this campaign was a gambling company in the Philippines, the report noted. The threat actor is known to target gambling industry and the South-East Asia region. 

Indicated interest in other platforms

The threat actor had already indicated its interest in platforms other than Windows. In 2022, Iron Tiger also known as APT 27, was seen targeting MacOS and Linux system with its malware family called rshell.

Further updates of these tools are likely to come up in the future to accommodate other platforms and apps, according to the Trend Micro report. “The threat actor is likely to reuse the tools mentioned here in future campaigns that might target different regions or industries in the short and long term,” the report said.