Kaspersky experts have identified a new campaign of the group.
Kaspersky GReAT experts have discovered that the APT Tropic Trooper group has stepped up its attacks in 2024, targeting government entities in the Middle East. Tropic Trooper, also known as KeyBoy and Pirate Panda, has been active since 2011, and has previously targeted government and high-tech organizations in Taiwan, the Philippines, and Hong Kong. However, a new investigation has revealed that since June 2023, the group has been waging relentless campaigns against one of the state's human rights institutions.
The first activity was recorded in June 2024, when security systems detected new versions of China Chopper's web shells on a public web server that used Umbraco's C#-based content management system. This web shell is actively used by cybercriminals to remotely control servers, and its presence on the servers of government agencies has raised serious concerns.
After identifying the web shell, experts found other malware associated with this attack. These include post-exploitation tools designed to scan the network, bypass security measures, and move laterally across the network. One of the key findings was the identification of malicious loaders that exploit vulnerabilities in DLL search-order hijacking to penetrate victims' computers. These downloaders have activated a more threatening piece of software called Crowdoor.
Notably, the first version of the Crowdoor downloader was blocked, forcing the hackers to adapt their methods and switch to using a new version previously unknown to cybersecurity specialists. Despite this, experts attributed this attack to the Tropic Trooper group with a high degree of confidence, based on the coincidence of methods, tools, and code with the previously identified campaigns of this group.
After successfully injecting the web shell, the attackers began downloading additional malware to the compromised server. Among them were network scanning tools such as Fscan and Swor, as well as open proxy tools designed to bypass network security measures.
Hackers used exploits for CVE-2021-34473, CVE-2021-34523, and CVE-2021-31207 vulnerabilities in Microsoft Exchange, as well as CVE-2023-26360 in Adobe ColdFusion. These vulnerabilities remained unpatched on the servers, giving attackers the opportunity to infiltrate systems and gain a foothold there using web shells.
Another important tool, Swor, is widely used to carry out attacks using Mimicatz and other utilities that provide remote access to the system. These tools have already been used in attacks on government institutions in Malaysia, which confirms the general vector of Tropic Trooper attacks – penetration into government agencies and data theft.
Another feature of the group's work was the use of encrypted web shells, hidden from detection systems thanks to the ByPassGodzilla ransomware. This software is used to obfuscate malicious code, which makes it much more difficult to identify.
The discovery of these DLL files made it possible to link the attack to the activities of Tropic Trooper due to the similarity of the methods and the use of the same RC4 key for data encryption. This key has already been used in previous attacks by the group, which confirms their involvement in the current incident.
This new strategic goal of the Tropic Trooper Group opens up additional opportunities to analyze their motivations and goals. The focus on government structures dealing with human rights may indicate the desire of hackers to gain access to data of political importance in the international arena.
As the incident continues to investigate, cybersecurity experts continue to identify new malware samples and updates to the tools used by the hackers. This allows you to gain a deeper understanding of Tropic Trooper's methods of operation and predict their next steps.
Source
Kaspersky GReAT experts have discovered that the APT Tropic Trooper group has stepped up its attacks in 2024, targeting government entities in the Middle East. Tropic Trooper, also known as KeyBoy and Pirate Panda, has been active since 2011, and has previously targeted government and high-tech organizations in Taiwan, the Philippines, and Hong Kong. However, a new investigation has revealed that since June 2023, the group has been waging relentless campaigns against one of the state's human rights institutions.
The first activity was recorded in June 2024, when security systems detected new versions of China Chopper's web shells on a public web server that used Umbraco's C#-based content management system. This web shell is actively used by cybercriminals to remotely control servers, and its presence on the servers of government agencies has raised serious concerns.
After identifying the web shell, experts found other malware associated with this attack. These include post-exploitation tools designed to scan the network, bypass security measures, and move laterally across the network. One of the key findings was the identification of malicious loaders that exploit vulnerabilities in DLL search-order hijacking to penetrate victims' computers. These downloaders have activated a more threatening piece of software called Crowdoor.
Notably, the first version of the Crowdoor downloader was blocked, forcing the hackers to adapt their methods and switch to using a new version previously unknown to cybersecurity specialists. Despite this, experts attributed this attack to the Tropic Trooper group with a high degree of confidence, based on the coincidence of methods, tools, and code with the previously identified campaigns of this group.
How the attack unfolded
The main target of the attack was the Umbraco content management system. The initial malicious web shell embedded in one of the Umbraco modules was used to execute commands sent through the control system controller. The hackers compiled the shell as a .NET module for Umbraco CMS, which allowed them to secretly transmit commands through a content management system.After successfully injecting the web shell, the attackers began downloading additional malware to the compromised server. Among them were network scanning tools such as Fscan and Swor, as well as open proxy tools designed to bypass network security measures.
Hackers used exploits for CVE-2021-34473, CVE-2021-34523, and CVE-2021-31207 vulnerabilities in Microsoft Exchange, as well as CVE-2023-26360 in Adobe ColdFusion. These vulnerabilities remained unpatched on the servers, giving attackers the opportunity to infiltrate systems and gain a foothold there using web shells.
Motives and methods of attack
Tropic Trooper is distinguished by the extensive use of open instruments developed by Chinese specialists. For example, Fscan, a vulnerability scanning utility, is actively used by hackers to collect information about victims' internal networks, as well as to identify security weaknesses. In one of the scripts found on the compromised server, the hackers used the ICMP command to check the availability of machines on the network.Another important tool, Swor, is widely used to carry out attacks using Mimicatz and other utilities that provide remote access to the system. These tools have already been used in attacks on government institutions in Malaysia, which confirms the general vector of Tropic Trooper attacks – penetration into government agencies and data theft.
Another feature of the group's work was the use of encrypted web shells, hidden from detection systems thanks to the ByPassGodzilla ransomware. This software is used to obfuscate malicious code, which makes it much more difficult to identify.
Technical aspects
One of the key techniques employed by Tropic Trooper is to download malicious DLL files via vulnerable, legitimate executable files. In this case, the hackers used two files, datast.dll and VERSION.dll, which loaded malicious code into the system. These files were injected into legitimate processes such as msiexec.exe, after which the next stage of malicious code was injected.The discovery of these DLL files made it possible to link the attack to the activities of Tropic Trooper due to the similarity of the methods and the use of the same RC4 key for data encryption. This key has already been used in previous attacks by the group, which confirms their involvement in the current incident.
Consequences and goals of attacks
Most interestingly, the main target of the attack was content related to human rights research published on the compromised platform. Given that most of the content was devoted to the conflict between Israel and Hamas, it can be assumed that the main purpose of the attack was to access information on this topic.This new strategic goal of the Tropic Trooper Group opens up additional opportunities to analyze their motivations and goals. The focus on government structures dealing with human rights may indicate the desire of hackers to gain access to data of political importance in the international arena.
As the incident continues to investigate, cybersecurity experts continue to identify new malware samples and updates to the tools used by the hackers. This allows you to gain a deeper understanding of Tropic Trooper's methods of operation and predict their next steps.
Source
