SmallTiger Malware Used in Attacks Against South Korean Businesses (Kimsuky and Andariel)
Essential information
- Published
- 11/06/2024 10:04
- Modified
- 11/06/2024 10:31
- Tags
- 2024-06-11 apt durianbeacon meterpreter mimikatz multirdp smalltiger webbrowserpassview
- Related entities
- 19 observables, 1 intrusion sets (apt), 20 techniques (mitre), 6 malware, 3 others
Description
This report details a series of attacks targeting South Korean companies, particularly defense contractors, automobile part manufacturers, and semiconductor manufacturers. The threat actor initially deployed malware strains associated with the Kimsuky group, such as MultiRDP and Meterpreter, but later switched to using a downloader named SmallTiger. The final payload in the earlier attacks was DurianBeacon, a backdoor malware previously used by the Andariel group. The SmallTiger downloader was employed to download additional payloads, including information stealers and credential harvesters like Mimikatz and WebBrowserPassView. The attacks began in November 2023 and were ongoing as of May 2024, with the threat actor leveraging various distribution methods such as software updaters, mshta, and even GitHub.