“This is a unique industry with a constant large cash flow. Huge sums of money and different financial transfer schemes… give more opportunity for abuse.”
Further investigation into the attack revealed how Iron Tiger has upgraded its toolset over time. As part of the initial incident response, researchers discovered the threat group utilizing the HyperBro malware, a remote access trojan (RAT) used to gain access to infected systems. It also utilized a rootkit called Pandora, which performs backdoor functions.
More recently, researchers observed the threat group in December utilizing the SysUpdate malware sample as part of the attack. This malware, which was previously discovered and linked to Iron Tiger by researchers in 2018, has remote access capabilities such as managing files and processes, launching a command shell, interacting with services, taking screenshots, and uploading and downloading additional malware payloads.
Previously, the malware variant utilized by Iron Tiger was loaded by a known process, involving three files. These included a legitimate executable, a malicious dynamic-link library (DLL) file loaded by the executable, and a binary file that contained obfuscated code.
The attack on the gambling company revealed a new process, where SysUpdate was loaded using five files in its infection routine. In this process, a shellcode was utilized that decompressed and loaded a launcher in memory. This launched, then decoded, two encrypted files: One (data.res) containing two SysUpdate versions; and another (config.res) containing the SysUpdate configuration, such as the command-and-control (C2) server address.
Researchers said this update is “a smart move on the attacker’s side” in terms of obfuscation, as it splits information between various different files, making it harder to extract and analyze the malware.
In April 2020, researchers also found Iron Tiger making new use of a rootkit to hide its backdoors. The rootkit was taken from a public GitHub repository and was used to hide processes, files and services.
Beyond this particular attack, researchers said Iron Tiger has expanded its target base to include other industries – including governments, banks, telecommunication providers and the energy sector – in different countries in the Middle East and Southeast Asia over the past 18 months.
However, the gambling sector has proved to be lucrative for threat groups in general, researchers said, because “quite simply, it’s where the money is.” A multitude of cyberattacks have hit gambling companies and casinos over the past year, including ones in October against two casinos in Idaho that led to their temporary shutdown. Southeast Asia, in particular, has a strong economy for gambling because of overall population growth and “a general propensity for gambling” – making it opportunistic for threat actors, said researchers.
“This is a unique industry with a constant large cash flow,” said Yaneza. “Huge sums of money and different financial transfer schemes… give more opportunity for abuse.”