Malware
TigerLite
TigerLite is a TCP downloader. It creates mutexes like "qtrgads32" or "Microsoft32".
TigerLite is a TCP downloader.
It creates mutexes like "qtrgads32" or "Microsoft32".
It uses RC4 with the key "MicrosoftCorporationValidation@#$%^&*()!US" for decryption of its character strings, and a custom algorithm for encryption and decryption of network traffic.
It supports from 5 up to 8 commands with the following identifiers: 1111, 1234, 2099/3333, 4444, 8877, 8888, 9876, 9999. The commands mostly perform various types of execution - either of code received from the server, or native Windows commands, with their output collected and sent back to the server.
TigerLite is an intermediate step of a multi-stage attack, in which Tiger RAT is usually the next step. This malware was observed in attacks against South Korean entities in H1 2021.
Family metadata imported from Malpedia (Fraunhofer FKIE).