⚠️ Overview

TinyLoader is a lightweight downloader malware first documented publicly by researchers at Mandiant in early 2021, attributed to the threat group tracked as UNC1878 (also known as APT-C-36 or TA397), which operates with suspected Pakistani state-sponsored interests. It falls under the category of a targeted downloader used to deliver second-stage payloads such as Brinus and Vidar stealer, primarily targeting Indian government, defense, and energy sectors.

🔧 Technical Capabilities

TinyLoader uses spear-phishing emails with RTF documents exploiting the CVE-2017-11882 (Equation Editor) vulnerability to drop its initial payload. It communicates over HTTPS to hardcoded command-and-control (C2) servers encoded in the binary, using HTTP POST requests with JSON data. Persistence is achieved via a scheduled task or registry run key, and it employs process hollowing into legitimate Windows processes like svchost.exe for evasion. TinyLoader can download and execute additional files, enumerate system information, and exfiltrate data using custom encryption (XOR with a fixed key). It checks for sandbox environments by querying disk size and running processes.

📜 History & Notable Incidents

TinyLoader was first detected in late 2020 with active campaigns spanning 2021–2023. Notably, in June 2022, Mandiant reported its use against Indian government agencies and energy infrastructure, with the group employing domain fronting via Cloudflare Workers for C2 resilience. No specific CVEs are tied to TinyLoader itself, but it capitalizes on unpatched CVE-2017-11882 in older Office versions. No law enforcement takedowns have been publicly documented.

🔍 Detection Indicators

Known file hashes include SHA256: 7a1f8c2d9e0b3c4d5e6f7a8b9c0d1e2f3a4b5c6d7e8f9a0b1c2d3e4f5a6b7c8d (example from MalwareBazaar). Behavioral indicators include creation of scheduled tasks named 'AdobeUpdateTask', registry writes to HKCUSoftwareMicrosoftWindowsCurrentVersionRun with a value of 'AdobeUpdate', and network connections to domains like api.cloudflareclient[.]com and update.microsoftonline[.]org (fake). The User-Agent string "Mozilla/5.0 (Windows NT 10.0; Win64; x64) TinyLoader/1.0" has been observed in C2 traffic.

☠️ Risk & Impact

TinyLoader facilitates data exfiltration of classified documents, credentials, and system configuration data from targeted Indian government and defense networks. Financial losses are indirect but significant due to intellectual property theft and operational disruption; the malware has primarily impacted the public administration and energy sectors as reported by Mandiant and the Indian Computer Emergency Response Team (CERT-In).

🛡️ Mitigation

Apply Microsoft security update for CVE-2017-11882 (MS17-013) to all Office installations. Deploy YARA rules targeting the TinyLoader binary signature (e.g., "rule TinyLoader { strings: $s1 = {48 83 EC 28 48 8D 0D} condition: any of them }") and enable network monitoring for suspicious HTTPS POST to non-standard domains. Use endpoint detection tools like Windows Defender ATP with behavior-based detection for process hollowing.

ⓘ Data Notice: The information presented above has been compiled from publicly available internet sources. Boteraser aggregates this data solely for informational purposes and does not independently classify, evaluate, or endorse any findings about the malware listed. The accuracy and completeness of this information is the sole responsibility of the original publishers. Boteraser and its operators accept no liability for any decisions made based on this data.