Iron Tiger Malware - Changeport Toolkit driverinstall

Hunt Hypothesis

The detection identifies potential Iron Tiger Malware activity through the installation of a Changeport Toolkit driver, which may indicate adversary efforts to maintain persistence or evade detection. SOC teams should proactively hunt for this behavior in Azure Sentinel to identify and mitigate early-stage malware execution before it leads to deeper compromise.

YARA Rule

rule IronTiger_ChangePort_Toolkit_driversinstall 
{
   
    meta:
        author = "Cyber Safety Solutions, Trend Micro"
        description = "Iron Tiger Malware - Changeport Toolkit driverinstall"   
        reference = "http://goo.gl/T5fSJC"
   
    strings:
        $str1 = "openmydoor" nocase wide ascii
        $str2 = "Install service error" nocase wide ascii
        $str3 = "start remove service" nocase wide ascii
        $str4 = "NdisVersion" nocase wide ascii
   
    condition:
        uint16(0) == 0x5a4d and (2 of ($str*))
}

Deployment Notes

This YARA rule can be deployed in the following contexts:

• Microsoft Defender for Endpoint — Custom indicators / advanced hunting
• Email Gateway — Attachment scanning
• File Share Monitoring — Periodic scanning of shared drives
• YARA CLI — Manual threat hunting on endpoints

This rule contains 4 string patterns in its detection logic.

References

• http://goo.gl/T5fSJC
• Source Rule

False Positive Guidance

• Scenario: Scheduled System Update Job
  Description: A legitimate scheduled task runs a Windows Update or driver update process that installs a driver.
  Filter/Exclusion: process.name != "wusa.exe" OR process.name != "dism.exe"

• Scenario: Administrative Driver Installation via Group Policy
  Description: An admin uses Group Policy to deploy a driver to multiple endpoints as part of standard device management.
  Filter/Exclusion: process.name != "gpmc.msc" OR process.name != "gpupdate.exe"

• Scenario: Third-Party Driver Installation via SCCM
  Description: A System Center Configuration Manager (SCCM) task installs a third-party driver as part of a patching or imaging process.
  Filter/Exclusion: process.name != "ccmexec.exe" OR process.name != "smsexec.exe"

• Scenario: Driver Signing Enforcement via PowerShell
  Description: A script or PowerShell command is used to enforce driver signing policies, which may trigger driver installation events.
  Filter/Exclusion: process.name != "powershell.exe" OR process.name != "certutil.exe"

• Scenario: Legacy Driver Rollback via Device Manager
  Description: An admin manually rolls back a driver using Device Manager, which can generate driver installation events.
  Filter/Exclusion: process.name != "devmgmt.msc" OR process.name != "setupapi.exe"