Iron Tiger Malware - Toolkit ChangePort

Hunt Hypothesis

The Iron Tiger Malware is attempting to change network port configurations to evade detection and maintain persistence. SOC teams should proactively hunt for this behavior in Azure Sentinel to identify potential malware activity and prevent lateral movement or data exfiltration.

YARA Rule

rule IronTiger_ChangePort_Toolkit_ChangePortExe 
{
   
    meta:
        author = "Cyber Safety Solutions, Trend Micro"
        description = "Iron Tiger Malware - Toolkit ChangePort"
        reference = "http://goo.gl/T5fSJC"
   
    strings:
        $str1 = "Unable to alloc the adapter!" nocase wide ascii
        $str2 = "Wait for master fuck" nocase wide ascii
        $str3 = "xx.exe <HOST> <PORT>" nocase wide ascii
        $str4 = "chkroot2007" nocase wide ascii
        $str5 = "Door is bind on %s" nocase wide ascii
   
    condition:
        uint16(0) == 0x5a4d and (2 of ($str*))
}

Deployment Notes

This YARA rule can be deployed in the following contexts:

• Microsoft Defender for Endpoint — Custom indicators / advanced hunting
• Email Gateway — Attachment scanning
• File Share Monitoring — Periodic scanning of shared drives
• YARA CLI — Manual threat hunting on endpoints

This rule contains 5 string patterns in its detection logic.

References

• http://goo.gl/T5fSJC
• Source Rule

False Positive Guidance

• Scenario: A system administrator is using PowerShell to change the port for a legitimate internal service (e.g., SQL Server or a custom application).
  Filter/Exclusion: Check for ProcessName containing “powershell.exe” and filter out known internal services or check for CommandLine containing -Command with legitimate port configuration commands.

• Scenario: A Windows Scheduled Task is configured to run a script that changes the listening port of a legitimate application (e.g., a load balancer or reverse proxy).
  Filter/Exclusion: Filter tasks with TaskName matching known internal task names or check for CommandLine containing valid port configuration commands for known services.

• Scenario: A Windows Service (e.g., IIS or Exchange) is configured to dynamically adjust its listening ports based on load or configuration changes.
  Filter/Exclusion: Use ProcessName to exclude known services like “w3svc.exe” or “msexch.exe”, or check for CommandLine containing valid configuration commands for those services.

• Scenario: A network monitoring tool (e.g., Wireshark or tcpdump) is running with elevated privileges and temporarily changes the listening port for packet capture.
  Filter/Exclusion: Filter by ProcessName such as “Wireshark.exe” or “tcpdump.exe”, or check for CommandLine containing capture-related flags.

• Scenario: A system update or patching tool (e.g., Windows Update or SCCM) modifies network settings during an update process, including port changes.
  Filter/Exclusion: Use ProcessName to exclude known update tools like “wuauserv.exe” or “ccmexec.exe”, or check for CommandLine containing update-related keywords.