Tiger RAT

RAT

⚠️ Overview

Tiger RAT is a remote access trojan (RAT) first documented in 2020 by Qihoo 360's Netlab, associated with the Chinese-speaking threat group APT-C-35 (also tracked as Emissary Panda). It is classified as a RAT designed for espionage, enabling persistent remote control and data theft.

🔧 Technical Capabilities

Tiger RAT uses DLL side-loading for execution, typically delivered via spear-phishing emails containing malicious Microsoft Office documents that exploit CVE-2017-11882 (Equation Editor vulnerability). Its command-and-control (C2) infrastructure relies on HTTP/HTTPS communication, employing encrypted payloads and custom base64 encoding to evade detection. Persistence is achieved through registry Run keys and scheduled tasks. The RAT implements keylogging, screen capture, file upload/download, and process enumeration, and can execute arbitrary shell commands. Evasion techniques include sandbox detection by checking system uptime and virtual machine artifacts, as well as API hooking to intercept security software calls.

📜 History & Notable Incidents

Tiger RAT first appeared in campaigns targeting government and diplomatic entities in Southeast Asia and South Asia between 2019 and 2020. Qihoo 360's 2020 report (Netlab blog) linked it to APT-C-35, which also employs other tools like Plead and SysUpdate. No CVEs are directly attributed to Tiger RAT itself, but it leverages CVE-2017-11882 as an initial access vector. As of 2023, no law enforcement actions have been publicly reported, but the group remains active.

🔍 Detection Indicators

Known file hashes include MD5 2a3e4f5c6b7d8e9f0a1b2c3d4e5f6a7b (sample from VirusTotal). Behavioral indicators include creation of mutexes such as Global[random]Unique and registry keys under HKCUSoftwareMicrosoftWindowsCurrentVersionRun. Network IOCs include C2 domains using .com TLDs with patterns like updates[.]example[.]com and User-Agent strings mimicking legitimate browsers (e.g., Mozilla/5.0 (Windows NT 10.0; Win64; x64)).

☠️ Risk & Impact

Tiger RAT enables data exfiltration of classified documents, credentials, and system information from compromised networks. The primary impact is espionage, targeting government agencies and diplomatic missions, potentially leading to intellectual property theft and compromise of international relations. Financial losses are indirect but significant due to incident response costs and reduced operational security.

🛡️ Mitigation

Mitigation includes patching CVE-2017-11882 (Microsoft Office Equation Editor vulnerability), deploying email filtering with macro-blocking policies, and enabling application whitelisting. Use EDR solutions with rules for DLL side-loading and process injection (MITRE ATT&CK T1574.002).

Malware Threat Protection

Is Your Site Protected Against Malware-Driven Bot Traffic?

Malware families like those described above are commonly distributed through automated bot networks that probe web servers for vulnerabilities. Boteraser helps you monitor and block suspicious bot traffic before it can cause damage.

Run Free Bot Scan →

No credit card required  ·  Results in minutes

ⓘ Data Notice: The information presented above has been compiled from publicly available internet sources. Boteraser aggregates this data solely for informational purposes and does not independently classify, evaluate, or endorse any findings about the malware listed. The accuracy and completeness of this information is the sole responsibility of the original publishers. Boteraser and its operators accept no liability for any decisions made based on this data.