TigerLite
Intelligence Profile
TigerLite is a TCP downloader.
It creates mutexes like "qtrgads32" or "Microsoft32".
It uses RC4 with the key "MicrosoftCorporationValidation@#$%^&*()!US" for decryption of its character strings, and a custom algorithm for encryption and decryption of network traffic.
It supports from 5 up to 8 commands with the following identifiers: 1111, 1234, 2099/3333, 4444, 8877, 8888, 9876, 9999. The commands mostly perform various types of execution - either of code received from the server, or native Windows commands, with their output collected and sent back to the server.
TigerLite is an intermediate step of a multi-stage attack, in which Tiger RAT is usually the next step. This malware was observed in attacks against South Korean entities in H1 2021.
Threat Analysis
TigerLite is a known-sophistication threat actor of undetermined national origin, engaged in cyber operations with a primary motivation of unknown activity patterns.