Delaware, USA – February 9, 2018 – Iron Tiger APT group is back in business. Researchers from Bitdefender discovered a cyber espionage campaign targeted the government, technology and telecommunications sectors in Asia and North America. They dubbed it Operation PZChao. Uncovered infrastructure and malware used allowed researchers to link this campaign to infamous Chinese hacker group Iron Tiger. The campaign continues from July 2017; adversaries send carefully crafted phishing emails containing malicious VBS files. Once launched, the script downloads additional payloads from the control servers, including Bitcoin miner, Mimikatz utility and modified Gh0st RAT, which has a wide range of capabilities for cyber espionage. Using these tools, adversaries can completely take control of infected systems and steal sensitive data.
Mimikatz remains one of the most popular tools for stealing credentials after the initial compromise of the system since it is extremely difficult to detect its operations. To discover the malicious activity of this utility, you can use Mimikatz Defense Framework, which allows ArcSight, QRadar and Splunk to uncover attempts to use dumped credentials.