Iron Tiger Malware - HTTPBrowser Dropper

Hunt Hypothesis

The Iron Tiger Malware HTTPBrowser Dropper is likely being used to deliver payloads through browser-based HTTP requests, indicating potential lateral movement or data exfiltration. SOC teams should proactively hunt for this behavior in Azure Sentinel to identify and mitigate early-stage malware activity before it leads to deeper network compromise.

YARA Rule

rule IronTiger_HTTPBrowser_Dropper 
{
   
    meta:
        author = "Cyber Safety Solutions, Trend Micro"
        description = "Iron Tiger Malware - HTTPBrowser Dropper"
        reference = "http://goo.gl/T5fSJC"
   
    strings:
        $str1 = ".dllUT" nocase wide ascii
        $str2 = ".exeUT" nocase wide ascii
        $str3 = ".urlUT" nocase wide ascii
   
    condition:
        uint16(0) == 0x5a4d and (2 of ($str*))
}

Deployment Notes

This YARA rule can be deployed in the following contexts:

• Microsoft Defender for Endpoint — Custom indicators / advanced hunting
• Email Gateway — Attachment scanning
• File Share Monitoring — Periodic scanning of shared drives
• YARA CLI — Manual threat hunting on endpoints

This rule contains 3 string patterns in its detection logic.

References

• http://goo.gl/T5fSJC
• Source Rule

False Positive Guidance

• Scenario: Legitimate Scheduled Job for Software Updates
  Description: A scheduled task runs a script to download and install updates from a known internal or external repository.
  Filter/Exclusion: Exclude traffic from known update servers (e.g., update.microsoft.com, artifactory.example.com) or filter by destination_ip matching internal update servers.

• Scenario: Admin Performing Browser-Based Remote Desktop Connection
  Description: An admin uses a browser to connect to a remote desktop session using a legitimate RDP tool via a web interface.
  Filter/Exclusion: Exclude traffic from admin workstations (e.g., user-agent containing “Mozilla/5.0 (Windows NT 10.0; Win64; x64)”), or filter by source_ip matching admin workstations.

• Scenario: Internal Tool for Browser Automation Testing
  Description: A DevOps team uses a tool like Selenium or Puppeteer to automate browser interactions for testing web applications.
  Filter/Exclusion: Exclude traffic from known testing environments (e.g., source_ip in 10.10.0.0/24), or filter by user-agent containing “Selenium” or “Puppeteer”.

• Scenario: User Accessing a Phishing Simulation Page
  Description: A user clicks on a phishing simulation link that redirects to a mock phishing page hosted internally.
  Filter/Exclusion: Exclude traffic to internal phishing simulation domains (e.g., phishing-sim.example.com), or filter by destination_url containing “phishing-sim”.

• Scenario: Legitimate Browser Extension Installation via Web Interface
  Description: An IT admin installs a browser extension via a web portal (e.g., Chrome Web Store) as part of a security policy.
  Filter/Exclusion: