Iron Tiger Malware - GTalk Trojan

Hunt Hypothesis

The Iron Tiger Malware - GTalk Trojan is likely being used to establish covert communication channels and exfiltrate data through compromised Azure environments. SOC teams should proactively hunt for this behavior to identify and mitigate potential data breaches and lateral movement attempts.

YARA Rule

rule IronTiger_GTalk_Trojan 
{
  
    meta:
        author = "Cyber Safety Solutions, Trend Micro"
        description = "Iron Tiger Malware - GTalk Trojan"
        reference = "http://goo.gl/T5fSJC"
  
    strings:
        $str1 = "gtalklite.com" nocase wide ascii
        $str2 = "computer=%s&lanip=%s&uid=%s&os=%s&data=%s" nocase wide ascii
        $str3 = "D13idmAdm" nocase wide ascii
        $str4 = "Error: PeekNamedPipe failed with %i" nocase wide ascii
    condition:
        uint16(0) == 0x5a4d and (2 of ($str*))
}

Deployment Notes

This YARA rule can be deployed in the following contexts:

• Microsoft Defender for Endpoint — Custom indicators / advanced hunting
• Email Gateway — Attachment scanning
• File Share Monitoring — Periodic scanning of shared drives
• YARA CLI — Manual threat hunting on endpoints

This rule contains 4 string patterns in its detection logic.

References

• http://goo.gl/T5fSJC
• Source Rule

False Positive Guidance

• Scenario: System Maintenance Scheduled Task
  Description: A legitimate scheduled task is running a script that uses gTalk-related API calls (e.g., Google Talk integration for internal communication tools).
  Filter/Exclusion: Exclude tasks associated with Task Scheduler and containing msiexec, schtasks, or powershell.exe with known legitimate script paths (e.g., C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe).

• Scenario: Admin Using Google Talk for Internal Communication
  Description: An administrator is using Google Talk (via Google Workspace) for internal team communication, which may trigger the rule due to API interactions.
  Filter/Exclusion: Exclude processes related to google-talk or google-chrome with user context matching known admin accounts, or filter by user field matching internal admin accounts.

• Scenario: Backup Job Using Google Drive API
  Description: A backup job is using the Google Drive API to store backups, which may include gTalk-related API calls.
  Filter/Exclusion: Exclude processes involving google-drive or gdrive and filter by process.name or process.path that match known backup tools (e.g., Veeam, Commvault, Duplicati).

• Scenario: System Update Using Google Services
  Description: A system update or patching process is using Google services for metadata or update checks, which could trigger the rule.
  Filter/Exclusion: Exclude processes related to Windows Update, WSUS, or Google Update Service (e.g., GoogleUpdate.exe), and filter by process.name or process.path.

• Scenario: Third-Party Monitoring Tool Integration
  Description: A third-party monitoring or security tool is