Anti-Malware Research Whitepapers

Operation PZChao: a possible return of the Iron Tiger APT

More than 30 years after the end of the Cold War, digital infrastructures worldwide have become strategic national fronts with the same importance as the geographical frontiers of air, land, sea and space.

To ensure viability in this fifth domain, cyber-attacks are growing in complexity as threat actors divide payloads in multiple modules with highly specialized uses to achieve a target’s compromise. The past few years have seen high-profile cyber-attacks shift to damaging the targets’ digital infrastructures to stealing highly sensitive data, silently monitoring the victim and constantly laying the ground for a new wave of attacks.

This is also the case of a custom-built piece of malware that we have been monitoring for several months as it wrought havoc in Asia. Our threat intelligence systems picked up the first indicators of compromise in July last year, and we have kept an eye on the threat ever since.

An interesting feature of this threat, which drew our team to the challenge of analyzing it, is that it features a network of malicious subdomains, each one used for a specific task (download, upload, RAT related actions, malware DLL delivery). The payloads are diversified and include capabilities to download and execute additional binary files, collect private information and remotely execute commands on the system.

In the analysis process, we managed to retrieve the malware payloads hosted on one of the command and control servers along with some statistics, such as the total number of downloads and logs containing the targeted victims. Among the most-downloaded malicious files, we found variants of Gh0st RAT used in Iron Tiger APT operation [more information about Iron Tiger is available in a research paper published by TrendMicro]. Interestingly enough, these new samples now connect to the new attack infrastructure.

This whitepaper takes an in-depth look at the the attack chain, the infrastructure used by the threat actors, the malware subdomains they control and the payloads delivered on the targeted systems, as well as other telltale signs about a possible return of the Iron Tiger APT.

Download the whitepaper now

About the author

Ivona Alexandra CHILI

Ivona Alexandra CHILI is a Forensics Engineer in the Bitdefender Cyber Threat Intelligence Lab. She has recently graduated Computer Sciences at the Alexandru Ioan Cuza University in Iasi and is currently pursuing a bachelor's degree. With almost three years of experience in malware reverse enginnering, she aims to become a recognized professional in the field of cyber security. She strongly believes that working in anti-malware research sharpens a multitude of technical skills that would remain dormant in any other industry.

About the author


Bogdan Botezatu is living his second childhood at Bitdefender as director of threat research. When he is not documenting sophisticated strains of malware or planning removal tools, he teaches extreme sports such as surfing the web without protection or rodeo with wild Trojan horses. He believes that most things in life can be beat with strong heuristics and that antimalware research is like working for a secret agency: you need to stay focused at all times, but you get all the glory when you catch the bad guys.

Add Comment

Click here to post a comment