Iron Tiger Malware - PlugX DosEmulator

Hunt Hypothesis

The hypothesis is that the detection identifies potential Iron Tiger Malware activity through the use of PlugX DosEmulator, which may indicate adversary attempts to establish persistence or execute malicious payloads. SOC teams should proactively hunt for this behavior in Azure Sentinel to identify and mitigate early-stage malware infections before they escalate.

YARA Rule

rule IronTiger_PlugX_DosEmulator
{
   
    meta:
        author = "Cyber Safety Solutions, Trend Micro"
        description = "Iron Tiger Malware - PlugX DosEmulator"  
        reference = "http://goo.gl/T5fSJC"
   
    strings:
        $str1 = "Dos Emluator Ver" nocase wide ascii
        $str2 = "\\PIPE\\FASTDOS" nocase wide ascii
        $str3 = "FastDos.cpp" nocase wide ascii
        $str4 = "fail,error code = %d." nocase wide ascii
   
    condition:
        uint16(0) == 0x5a4d and (any of ($str*))
}

Deployment Notes

This YARA rule can be deployed in the following contexts:

• Microsoft Defender for Endpoint — Custom indicators / advanced hunting
• Email Gateway — Attachment scanning
• File Share Monitoring — Periodic scanning of shared drives
• YARA CLI — Manual threat hunting on endpoints

This rule contains 4 string patterns in its detection logic.

References

• http://goo.gl/T5fSJC
• Source Rule

False Positive Guidance

• Scenario: A system administrator is using Windows Task Scheduler to run a legitimate system maintenance script that includes a DosEmulator-like command for testing purposes.
  Filter/Exclusion: Check for Task Scheduler job names containing “Maintenance” or “SystemCheck” and exclude processes launched from the Task Scheduler UI.

• Scenario: A developer is using PowerShell to simulate a DOS environment for testing a legacy application compatibility.
  Filter/Exclusion: Filter out processes initiated from PowerShell scripts named “LegacyAppTest.ps1” or with the -Command parameter containing “simulate DOS”.

• Scenario: A security tool like OSSEC or Tripwire is performing a system integrity check and temporarily executes a DOS-like command to verify file hashes.
  Filter/Exclusion: Exclude processes with parent process names like ossec.exe, tripwire, or logcheck and filter by command lines containing “hashcheck” or “integrity”.

• Scenario: A database administrator is using SQL Server Agent Job to run a batch file that emulates a DOS environment for data migration testing.
  Filter/Exclusion: Exclude processes launched by sqlagent.exe and filter command lines containing “data_migration” or “test_migration”.

• Scenario: A system update or patching tool like Windows Update or Chocolatey runs a script that includes a DOS-like command for compatibility checks.
  Filter/Exclusion: Exclude processes with parent process names like wuauclt.exe, choco, or msiexec and filter command lines containing “compatibility” or “check”.