Daniel LunghiMay 2, 2023
The slides https://botconf.eu/wp-content/uploads/2023/04/2023_5856_LUNGHI.pdf and video https://youtube.com/watch?v=713CsmcNE3o of my #Botconf talk about #IronTiger TTPs are online. I discuss recent infection vectors (including a supply chain attack), the evolution of their malware toolkit and targeting, and explain how we attributed these campaigns to #IronTiger #APT27 #APT threat actor
Daniel LunghiMar 1, 2023
My latest #APT research on #IronTiger (#APT27/#EmissaryPanda/#LuckyMouse) is out ! It includes analysis of a new version of SysUpdate ported to Linux, a new communication protocol through DNS TXT requests, a VMProtect certificate compromise, and probable infection vector https://trendmicro.com/en_us/research/23/c/iron-tiger-sysupdate-adds-linux-targeting.html
Iron Tiger’s SysUpdate Reappears, Adds Linux Targeting

We detail the update that advanced persistent threat (APT) group Iron Tiger made on the custom malware family SysUpdate. In this version, we also found components that enable the malware to compromise Linux systems.

Trend Micro
Daniel LunghiNov 10, 2022

#introduction I have been working on targeted attacks for a long time now, first as an incident responder, and now doing threat intelligence at Trend Micro.
I usually focus for a while on a threat actor, and when I feel I know enough, publish something about it. The fun part is that very often, while investigating a threat actor, you end up finding stuff on another one, which you can add to your TODO list once the current investigation is completed :)
BTW, this is a good reason to be careful with the attribution out there, infrastructure overlap and tool sharing are common stuff nowadays.

Some of my previous work on #APT groups:

#Patchwork:
https://www.trendmicro.com/en_us/research/17/l/untangling-the-patchwork-cyberespionage-group.html
#Confucius:
https://www.trendmicro.com/fr_fr/research/18/b/deciphering-confucius-cyberespionage-operations.html
https://www.trendmicro.com/en_us/research/21/h/confucius-uses-pegasus-spyware-related-lures-to-target-pakistani.html
#UrPage/#Bahamut:
https://www.trendmicro.com/en_us/research/18/h/the-urpage-connection-to-bahamut-confucius-and-patchwork.html
A bit of all previous actors:
https://www.first.org/resources/papers/tallinn2019/Linking_South_Asian_cyber_espionnage_groups-to-publish.pdf

#MuddyWater:
https://www.trendmicro.com/en_us/research/18/k/new-powershell-based-backdoor-found-in-turkey-strikingly-similar-to-muddywater-tools.html
https://documents.trendmicro.com/assets/white_papers/wp_new_muddywater_findings_uncovered.pdf

Maybe APT37 (unconfirmed):
https://www.trendmicro.com/en_us/research/19/c/new-slub-backdoor-uses-github-communicates-via-slack.html

#EarthAkhlut/#Tonto:
https://vb2020.vblocalhost.com/uploads/VB2020-Lunghi-Horejsi.pdf
Operation DRBControl:
https://www.trendmicro.com/vinfo/us/security/news/cyber-attacks/operation-drbcontrol-uncovering-a-cyberespionage-campaign-targeting-gambling-companies-in-southeast-asia
#EarthBerberoka:
https://www.trendmicro.com/en_us/research/22/d/new-apt-group-earth-berberoka-targets-gambling-websites-with-old.html
https://www.trendmicro.com/vinfo/us/security/news/cybercrime-and-digital-threats/exposing-earth-berberoka-a-multiplatform-apt-campaign-targeting-online-gambling-sites
#IronTiger/#EarthSmilodon:
https://www.trendmicro.com/en_no/research/21/d/iron-tiger-apt-updates-toolkit-with-evolved-sysupdate-malware-va.html
https://www.trendmicro.com/en_us/research/22/h/irontiger-compromises-chat-app-Mimi-targets-windows-mac-linux-users.html

Untangling the Patchwork Cyberespionage Group

Patchwork (also known as Dropping Elephant) is a cyberespionage group known for targeting diplomatic and government agencies that has since added businesses to their list of targets.

Trend Micro