Saturday, September 7, 2024
Homecyber securityTropic Trooper Attacks Government Organizations to Steal Sensitive Data

Tropic Trooper Attacks Government Organizations to Steal Sensitive Data

Published on

Tropic Trooper (aka KeyBoy, Pirate Panda, and APT23) is a sophisticated cyberespionage APT group, and it has been active since 2011.

This APT group primarily targets government institutions, military agencies, healthcare, transportation, and high-tech industries in Taiwan, the Philippines, and Hong Kong.

Cybersecurity analysts at Kaspersky Lab recently discovered that Tropic Trooper has been actively attacking government organizations to steal sensitive data.

- Advertisement - EHA

Technical analysis

In a December 2024 report, the Chinese-speaking threat actor Tropic Trooper was accused of carrying out a complex cyberespionage attack against a government agency in the Middle East.

The operation lasted from June 2023 and incorporated a variant of the China Chopper web shell which was newly developed along with the Crowdoor loader.

The attackers compromised the Umbraco CMS, which is based on .NET, to send out malicious malware to targets.

They carried out DLL search-order hijacking, which is a form of DLL loader that would load malicious DLL files such as “datast.dll” and “VERSION.dll” through the use of legitimate executables.

The attack chain was also extended to incorporate additional features such as Base64 encoding, RC4 obfuscation (key: ‘fYTUdr643$3u’), and JavaScript dynamic evaluation.

These threat actors had exploited CVE-2021-34473, CVE-2021-34523, and CVE-2021-31207 issues in Microsoft Exchange as well as CVE-2023-26360 in Adobe ColdFusion.

Are You From SOC/DFIR Teams? - Try Advanced Malware and Phishing Analysis With ANY.RUN - 14 day free trial

Crowdoor has employed post-exploitation tools to facilitate lateral movement and the Crowdoor payload persisted through a Windows service called WinStore or the HKCU\Software\Microsoft\Windows\CurrentVersion\Run registry key.

The payload loaded into the colorcpl.exe process and established the C2 server, being an address “blog.techmersion[.]com” on port 443.

Here below we have mentioned all the tools used:-

  • Fscan
  • Swor
  • Neo-reGeorg
  • ByPassGodzilla

The attack showcased evolving tactics, including the use of future-dated timestamps like “May 26, 2027,” and the total development of malware variants, which illustrate final moves to use cyberwards against governmental agencies engaged in human rights-related works.

Tropic Trooper is possibly associated with FamousSparrow, targeted Middle Eastern government institutions and Malaysian government institutions using DLL search-order hijacking and features like RC4 key sharing loaders, China Chopper web shell with tools like Crowdoor and SparrowDoor, Kaspersky said.

Targets included the Centre for Middle Eastern Studies which publishes Israeli and Hamas conflict studies and operationalized post-exploitation tools such as Fscan in addition to other strategies that highlight the difference in operational skill sets across attack stages.

IoCs

IoCs (Source - Securelist)
IoCs (Source – Securelist)

What Does MITRE ATT&CK Expose About Your Enterprise Security? - Watch Free Webinar!

Tushar Subhra
Tushar Subhra
Tushar is a Cyber security content editor with a passion for creating captivating and informative content. With years of experience under his belt in Cyber Security, he is covering Cyber Security News, technology and other news.

Latest articles

BBTok Abuses Legitimate Windows Utility Command Tool to Stay Undetected

Cybercriminals in Latin America have increased their use of phishing scams targeting business transactions...

Predator Spyware Exploiting “one-click” & “zero-click” Flaws

Recent research indicates that the Predator spyware, once thought to be inactive due to...

NoiseAttack is a Novel Backdoor That Uses Power Spectral Density For Evasion

NoiseAttack is a new method of secretly attacking deep learning models. It uses triggers...

Fog Ransomware Now Targeting the Financial Sector; Adlumin Thwarts Attack

The Fog Ransomware group, known for targeting education and recreation sectors, has expanded its...

Free Webinar

Decoding Compliance | What CISOs Need to Know

Non-compliance can result in substantial financial penalties, with average fines reaching up to $4.5 million for GDPR breaches alone.

Join us for an insightful panel discussion with Chandan Pani, CISO - LTIMindtree and Ashish Tandon, Founder & CEO – Indusface, as we explore the multifaceted role of compliance in securing modern enterprises.

Discussion points

The Role of Compliance
The Alphabet Soup of Compliance
Compliance
SaaS and Compliance
Indusface's Approach to Compliance

More like this

BBTok Abuses Legitimate Windows Utility Command Tool to Stay Undetected

Cybercriminals in Latin America have increased their use of phishing scams targeting business transactions...

Predator Spyware Exploiting “one-click” & “zero-click” Flaws

Recent research indicates that the Predator spyware, once thought to be inactive due to...

NoiseAttack is a Novel Backdoor That Uses Power Spectral Density For Evasion

NoiseAttack is a new method of secretly attacking deep learning models. It uses triggers...