Iron Hacker Group Uses New Backdoor to Infect Victims with Ransomware and Coinminers

Delaware, USA – June 6, 2018 – Experts from Intezer published an investigation of the Iron hacker group activities, which was first spotted about a year and a half ago. Attackers create malware to infect systems running Windows, Linux and Android. Their arsenal consists of cryptocurrency miners, ransomware and backdoors to install malware on infected systems. According to the investigation, the Iron group is most likely located territorially in China: researchers found comments in the code in Mandarin, and their targets are mostly located in that region. The backdoor they used in recent campaigns is based on the Remote Control System source code, and its installer is protected by VMProtect. After getting into the system, the installer saves and launches a modified plug-in for Chrome to inject in-browser coinminer and an online payment hijacker scripts into the browser. After this, malware searches for 360 Safe Guard or 360 Internet Security installed, if they are not detected, the backdoor installs a fake certificate into the system and installs itself as a system service. The Iron group’s backdoor can drop Xagent cryptocurrency worm or ransomware, also, the malware installs a module to steal files that can contain cryptocurrency wallets.

Researchers say that more than ten thousand people became victims of adversaries. Malware used by the hacker group is mainly based on the source code of known tools, but the attackers make significant changes and use various techniques to avoid detection. To spot ransomware attacks, you can use your SIEM and content from Threat Detection Marketplace. Ransomware Hunter will help your security solution detect signs of the attack before critical data is encrypted.