Tmanger is a Remote Access Trojan (RAT) tool used in attacks carried out by the Advanced Persistent Threat (APT) group known as TA428. The malware threat was first observed when deployed against targets in Japan, but it can easily be transferred to infect entities from Mongolia, the original target of the TA428 group, or Vietnam, a member of the Belt and Road initiative. The name of the threat - Tmanger, may be a mistyped version of Tmanager, a conjecture supported by several mistyped strings found in the underlying code of the trojan.
Tmanger is comprised of three different parts, but they all share certain identical behavior and functions. The names of the components are SetUp, MloadDll, and Client. The SetUp file is the first to be executed and its tasked with establishing the persistence mechanism for the threat. Before that, however, it creates a specific event name through CreateEvent, a behavior also found in MloadDll and Client. The most likely purpose is to prevent multiple boots of the threat from running simultaneously. SetUp then checks if it has Admin privileges and decides which persistence mechanism to use based on the outcome. If it is Admin, it proceeds to decode several character strings used to register as a service a DLL file created in System32, after which it executes the service. If SetUp doesn't have Admin permissions, it performs a check for a file named Rahoto.exe in the Temp folder. Upon determining that such a file doesn't exist, it copies itself to that location while also changing its name to Rahoto.exe. By using CurrentVersion\Run in the registry, it sets an autostart functionality.
MloadDll is responsible for carrying in an encoded form the C & C server address and port number. It also deploys and executes the main component of Tmanger - Client. The Client component begins its data harvesting operation by obtaining certain system details, including Host, Drive, and the user information, as well as OS and architecture data. If a successful connection with the Command-and-Control (C2, C&C) infrastructure has been established, Tmanger begins to listen for any inbound commands from the hackers. Its functionality encompasses threatening actions such as file manipulations, exfiltration of files, launching specific processes, taking screenshots, obtaining key logs, and others. The traffic between Tmanger and its C2 servers is RC4 encrypted.
The Tmanger RAT threat is under active development, evidenced by the release of several versions within a relatively short period. TA428 could further expand its set of threatening activities and equip it with additional functions to better suit their agenda.