Security experts identified a new cyber espionage from the Chinese state-sponsored Advanced Persistent Threat (APT) group “Tropic Trooper” targeting transportation, health care, and government sectors across Hong Kong, the Philippines, and Taiwan. Also known as Earth Centaur and KeyBoy, the Tropic Trooper operators have been active since 2011, conducting various kinds of cyber campaigns.
According to a report from Trend Micro, the group managed to access certain internal documents like flight schedules, financial plan details, and other personal information on the compromised hosts.
Tropic Trooper’s Capabilities
- Proficient at red teamwork
- Bypasses security settings and keeps its operation unobstructive
- Uses backdoors with different protocols like a reverse proxy to bypass the monitoring of network security systems
- Leverages open-source frameworks to develop new backdoor variants
“We believe that it will continue collecting internal information from the compromised victims and that it is simply waiting for an opportunity to use this data. The activities we observed are just the tip of the iceberg, and their targets might be expanded to other industries that are related to transportation. It is our aim, through this article, to encourage enterprises to review their own security setting and protect themselves from damage and compromise,” Trend Micro said.
Tropic Trooper’s Attack Vector
Tropic Trooper initially exploited the vulnerable Internet Information Services (IIS) server and Exchange server vulnerabilities as entry points. Later the attackers deployed web shells, the .NET loader (Nerapack), and the first stage backdoor (Quasar remote administration tool aka Quasar RAT) on the compromised machine. Based on the victims, the actors installed various second-stage backdoors like ChiserClient and SmileSvr.
After successful exploitation, Tropic Trooper started Active Directory (AD) discovery and spread their tools via Server Message Block (SMB). Then, they used intranet penetration tools to build the connection between the victim’s intranet and their command-and-control (C&C) servers. In addition, the group reportedly used multiple tools to dump credentials on compromised machines.
“After successfully exploiting the vulnerable system, the threat actor will use multiple hacking tools to discover and compromise machines on the victim’s intranet. We also observed attempts to deploy tools to exfiltrate stolen information in this stage. We found evidence of specific tools by which the attackers accomplish their goals (network discovery, access to the intranet, and exfiltration) step by step,” Trend Micro added.
Chinese Hackers Targeting Power Sector
In the recent past, security research from Recorded Future found a China-linked threat actor group, dubbed RedEcho, targeting 12 Indian organizations, 10 of which were in the power sector. The researchers uncovered a subset of the servers that share familiar tactics, techniques, and procedures (TTPs) with several previously reported Chinese state-sponsored groups. Read More Here…