Friday, December 6, 2024
Homecyber securityTropic Trooper Attacks Government Organizations to Steal Sensitive Data

Tropic Trooper Attacks Government Organizations to Steal Sensitive Data

Published on

SIEM as a Service

Tropic Trooper (aka KeyBoy, Pirate Panda, and APT23) is a sophisticated cyberespionage APT group, and it has been active since 2011.

This APT group primarily targets government institutions, military agencies, healthcare, transportation, and high-tech industries in Taiwan, the Philippines, and Hong Kong.

Cybersecurity analysts at Kaspersky Lab recently discovered that Tropic Trooper has been actively attacking government organizations to steal sensitive data.

- Advertisement - SIEM as a Service

Technical analysis

In a December 2024 report, the Chinese-speaking threat actor Tropic Trooper was accused of carrying out a complex cyberespionage attack against a government agency in the Middle East.

The operation lasted from June 2023 and incorporated a variant of the China Chopper web shell which was newly developed along with the Crowdoor loader.

The attackers compromised the Umbraco CMS, which is based on .NET, to send out malicious malware to targets.

They carried out DLL search-order hijacking, which is a form of DLL loader that would load malicious DLL files such as “datast.dll” and “VERSION.dll” through the use of legitimate executables.

The attack chain was also extended to incorporate additional features such as Base64 encoding, RC4 obfuscation (key: ‘fYTUdr643$3u’), and JavaScript dynamic evaluation.

These threat actors had exploited CVE-2021-34473, CVE-2021-34523, and CVE-2021-31207 issues in Microsoft Exchange as well as CVE-2023-26360 in Adobe ColdFusion.

Are You From SOC/DFIR Teams? - Try Advanced Malware and Phishing Analysis With ANY.RUN - 14 day free trial

Crowdoor has employed post-exploitation tools to facilitate lateral movement and the Crowdoor payload persisted through a Windows service called WinStore or the HKCU\Software\Microsoft\Windows\CurrentVersion\Run registry key.

The payload loaded into the colorcpl.exe process and established the C2 server, being an address “blog.techmersion[.]com” on port 443.

Here below we have mentioned all the tools used:-

  • Fscan
  • Swor
  • Neo-reGeorg
  • ByPassGodzilla

The attack showcased evolving tactics, including the use of future-dated timestamps like “May 26, 2027,” and the total development of malware variants, which illustrate final moves to use cyberwards against governmental agencies engaged in human rights-related works.

Tropic Trooper is possibly associated with FamousSparrow, targeted Middle Eastern government institutions and Malaysian government institutions using DLL search-order hijacking and features like RC4 key sharing loaders, China Chopper web shell with tools like Crowdoor and SparrowDoor, Kaspersky said.

Targets included the Centre for Middle Eastern Studies which publishes Israeli and Hamas conflict studies and operationalized post-exploitation tools such as Fscan in addition to other strategies that highlight the difference in operational skill sets across attack stages.

IoCs

IoCs (Source - Securelist)
IoCs (Source – Securelist)

What Does MITRE ATT&CK Expose About Your Enterprise Security? - Watch Free Webinar!

Tushar Subhra
Tushar Subhra
Tushar is a Cyber security content editor with a passion for creating captivating and informative content. With years of experience under his belt in Cyber Security, he is covering Cyber Security News, technology and other news.

Latest articles

Top Five Industries Most Frequently Targeted by Phishing Attacks

Researchers analyzed phishing attacks from Q3 2023 to Q3 2024 and identified the top...

Russian BlueAlpha APT Exploits Cloudflare Tunnels to Distribute Custom Malware

BlueAlpha, a Russian state-sponsored group, is actively targeting Ukrainian individuals and organizations by using...

Russian Hackers Hijacked Pakistani Actor Servers For C2 Communication

Secret Blizzard, a Russian threat actor, has infiltrated 33 command-and-control (C2) servers belonging to...

Sophisticated Celestial Stealer Targets Browsers to Steal Login Credentials

Researchers discovered Celestial Stealer, a JavaScript-based MaaS infostealer targeting Windows systems that, evading detection...

API Security Webinar

72 Hours to Audit-Ready API Security

APIs present a unique challenge in this landscape, as risk assessment and mitigation are often hindered by incomplete API inventories and insufficient documentation.

Join Vivek Gopalan, VP of Products at Indusface, in this insightful webinar as he unveils a practical framework for discovering, assessing, and addressing open API vulnerabilities within just 72 hours.

Discussion points

API Discovery: Techniques to identify and map your public APIs comprehensively.
Vulnerability Scanning: Best practices for API vulnerability analysis and penetration testing.
Clean Reporting: Steps to generate a clean, audit-ready vulnerability report within 72 hours.

More like this

Top Five Industries Most Frequently Targeted by Phishing Attacks

Researchers analyzed phishing attacks from Q3 2023 to Q3 2024 and identified the top...

Russian BlueAlpha APT Exploits Cloudflare Tunnels to Distribute Custom Malware

BlueAlpha, a Russian state-sponsored group, is actively targeting Ukrainian individuals and organizations by using...

Russian Hackers Hijacked Pakistani Actor Servers For C2 Communication

Secret Blizzard, a Russian threat actor, has infiltrated 33 command-and-control (C2) servers belonging to...