Cyber Security News

Tropic Trooper Attacks Government Organizations to Steal Sensitive Data

Tropic Trooper (aka KeyBoy, Pirate Panda, and APT23) is a sophisticated cyberespionage APT group, and it has been active since 2011.

This APT group primarily targets government institutions, military agencies, healthcare, transportation, and high-tech industries in Taiwan, the Philippines, and Hong Kong.

Cybersecurity analysts at Kaspersky Lab recently discovered that Tropic Trooper has been actively attacking government organizations to steal sensitive data.

Technical analysis

In a December 2024 report, the Chinese-speaking threat actor Tropic Trooper was accused of carrying out a complex cyberespionage attack against a government agency in the Middle East.

The operation lasted from June 2023 and incorporated a variant of the China Chopper web shell which was newly developed along with the Crowdoor loader.

The attackers compromised the Umbraco CMS, which is based on .NET, to send out malicious malware to targets.

They carried out DLL search-order hijacking, which is a form of DLL loader that would load malicious DLL files such as “datast.dll” and “VERSION.dll” through the use of legitimate executables.

The attack chain was also extended to incorporate additional features such as Base64 encoding, RC4 obfuscation (key: ‘fYTUdr643$3u’), and JavaScript dynamic evaluation.

These threat actors had exploited CVE-2021-34473, CVE-2021-34523, and CVE-2021-31207 issues in Microsoft Exchange as well as CVE-2023-26360 in Adobe ColdFusion.

Are You From SOC/DFIR Teams? - Try Advanced Malware and Phishing Analysis With ANY.RUN - 14 day free trial

Crowdoor has employed post-exploitation tools to facilitate lateral movement and the Crowdoor payload persisted through a Windows service called WinStore or the HKCU\Software\Microsoft\Windows\CurrentVersion\Run registry key.

The payload loaded into the colorcpl.exe process and established the C2 server, being an address “blog.techmersion[.]com” on port 443.

Here below we have mentioned all the tools used:-

  • Fscan
  • Swor
  • Neo-reGeorg
  • ByPassGodzilla

The attack showcased evolving tactics, including the use of future-dated timestamps like “May 26, 2027,” and the total development of malware variants, which illustrate final moves to use cyberwards against governmental agencies engaged in human rights-related works.

Tropic Trooper is possibly associated with FamousSparrow, targeted Middle Eastern government institutions and Malaysian government institutions using DLL search-order hijacking and features like RC4 key sharing loaders, China Chopper web shell with tools like Crowdoor and SparrowDoor, Kaspersky said.

Targets included the Centre for Middle Eastern Studies which publishes Israeli and Hamas conflict studies and operationalized post-exploitation tools such as Fscan in addition to other strategies that highlight the difference in operational skill sets across attack stages.

IoCs

IoCs (Source – Securelist)

What Does MITRE ATT&CK Expose About Your Enterprise Security? - Watch Free Webinar!

Tushar Subhra

Tushar is a Cyber security content editor with a passion for creating captivating and informative content. With years of experience under his belt in Cyber Security, he is covering Cyber Security News, technology and other news.

Recent Posts

Nigerian National Extradited to Nebraska for Wire Fraud Charges

United States Attorney Susan Lehr announced the extradition of Abiola Kayode, 37, from Nigeria to…

21 hours ago

Dell Security Update, Patch for Multiple Critical Vulnerabilities

Dell Technologies has released a security advisory addressing multiple critical vulnerabilities that could expose affected…

22 hours ago

CISA Issues 10 New Advisories on Industrial Control System Vulnerabilities

The Cybersecurity and Infrastructure Security Agency (CISA) has issued ten critical advisories, highlighting vulnerabilities across…

23 hours ago

FBI Seizes Rydox Marketplace, Arrests Key Administrators

The Federal Bureau of Investigation (FBI) announced the seizure of Rydox, an illicit online marketplace…

1 day ago

MITRE ATT&CK Evaluation Results 2024 – Cynet Became a Leader With 100% Detection & Protection

Across small-to-medium enterprises (SMEs) and managed service providers (MSPs), the top priority for cybersecurity leaders…

2 days ago

Antidot Malware Attacking Employees Android Devices To Inject Malicious Payloads

Researchers discovered a new variant of the AntiDot banking trojan targeting Android mobile devices through…

2 days ago