Threat Research

Iron Tiger’s SysUpdate Reappears, Adds Linux Targeting

Securonix

Trend Micro’s report details Iron Tiger’s update to SysUpdate, adding Linux-targeting capabilities and new C2 features, including DNS-based communication. It also notes hardened loading techniques, signed binaries abuse, and a lure using a chat application, indicating broader platform support and ongoing exploitation in the wild. #IronTiger #SysUpdate #Linux #DNS #Wazuh #VMProtect #Youdu

Keypoints

  • Iron Tiger updated SysUpdate in 2022 to add Linux targeting and cross-platform capabilities.
  • The loading chain uses rc.exe (a legitimate Microsoft tool) with a DLL side-loading step to load rc.dll and proceed with Stage 1.
  • The shellcode is Shikata Ga Nai-encoded and decrypted in memory before Stage 2 is loaded.
  • C2 communications include DNS TXT requests, a new DNS tunneling capability, and domain-based C2 names.
  • Linux SysUpdate samples were found, implemented with the ASIO library and shared network/config patterns with Windows versions.
  • The campaign leverages stolen VMProtect VM signing certificates and signs some payloads with that cert, including a Redline stealer instance observed later.

MITRE Techniques

  • [T1574] Hijack Execution Flow – DLL Side-Loading – The attacker uses rc.exe, a legitimate “Microsoft Resource Compiler” signed file, which is vulnerable to a DLL side-loading vulnerability, and loads a file named rc.dll. ‘The attacker runs rc.exe, a legitimate “Microsoft Resource Compiler” signed file , which is vulnerable to a DLL side-loading vulnerability, and loads a file named rc.dll.’
  • [T1055] Process Injection – Process Hollowing – The malware loads Stage 1 again via process hollowing with four parameters. ‘…calls Stage 1 again via process hollowing with four parameters’
  • [T1140] Deobfuscate/Decode Files or Information – The rc.bin file is a Shikata Ga Nai encoded shellcode that decompresses and loads the first stage in memory. ‘The rc.bin file is a Shikata Ga Nai encoded shellcode that decompresses and loads the first stage in memory.’
  • [T1112] Modify Registry – Persistence is achieved by creating a registry key that launches the malware on reboot. ‘…creates a registry key that launches the moved executable rc.exe with one parameter…’
  • [T1543.003] Create or Modify System Process: Windows Service – Persistence via a service that launches the malware at startup. ‘…or a service that launches the moved executable rc.exe with one parameter.’
  • [T1218] Signed Binary Proxy Execution – The malware abuses a signed binary (rc.exe) to proxy execution of the malicious components. ‘The attacker runs rc.exe, a legitimate “Microsoft Resource Compiler” signed file…’
  • [T1071.004] Application Layer Protocol: DNS – C2 communication via DNS TXT requests. ‘C&C communication through DNS TXT requests.’
  • [T1113] Screen Capture – The malware can take screenshots as part of its capabilities. ‘Screenshot grab’
  • [T1555.003] Credentials from Web Browsers – Post-exploitation tool extracts Chrome passwords and cookies. ‘decrypts the saved passwords to a file named “passwords.txt”, and the cookies to a file named “cookies.txt”.’
  • [T1057] Process Discovery – The malware enumerates and manages processes (browser and terminate actions). ‘Process manager (browses and terminates processes)’
  • [T1036] Masquerading – The use of a signed Wazuh executable for side-loading to appear legitimate. ‘abusing a sideloading vulnerability in a Wazuh signed executable’

Indicators of Compromise

  • [Domain] dev.gitlabs.me – C&C domain name observed in configuration and DNS-based communication
  • [IP] 8.8.8.8 – fallback DNS server used by malware for DNS C2 when GetNetworkParams fails
  • [File name] rc.exe, rc.dll, rc.bin – side-loaded components in the Windows loading chain
  • [File name] inicore_v2.3.30.dll, inicore_v2.3.30.bin – sideloaded DLL and payload
  • [File name] DLPREM32.dll, sv.bin, sysconfig.bin – additional sideloaded/loaded binaries or configurations
  • [File name] GameuxInstallHelper.DLL – sideloaded DLL in a legitimate app
  • [File name] wazuhext.bin, libwazuhshared.dll – binaries involved in Wazuh-related sideloading chain
  • [Certificate] Permyakov Ivan Yurievich IP – Authenticode signer associated with VMProtect certificates
  • [Hash] e24b29a1df287fe947018c33590a0b443d6967944b281b70fba7ea6556d00109 – Redline sample signed by the same certificate
  • [Domain] dev.gitlabs.me – C2 domain linked to Linux/Windows SysUpdate variants
  • [File name] youdu_client_211.9.194.exe – sample name observed related to the infection vector discussion

Read more: https://www.trendmicro.com/en_us/research/23/c/iron-tiger-sysupdate-adds-linux-targeting.html