Trend Micro reveals that Chinese state-sponsored malicious actors known as ‘Tropic Trooper’ have been attacking transportation firms and government bodies associated with the transport industry since mid-2020.
The Advanced Persistent Threat (APT), also called Earth Centaur as well as KeyBoy, has been active since 2011, performing espionage attacks targeting companies in the government, medicine, high-tech, as well as transportation sectors in the Philippines, Hong Kong, and Taiwan.
Trend Micro alerted that the gang attempted to obtain flight schedules, financial plans, as well as other internal documents at the target organizations, as well as any personal information accessible on the vulnerable systems, including search histories, as part of the attacks carried out over the last year and a half.
Trend Micro’s observation of the group indicated red teamwork competence, as the adversary can quickly circumvent security settings, keep its operations from becoming obstructive, and utilize reverse proxies to circumvent network security measures.
The APT has also been seen utilizing open-source frameworks, which allows it to simply create new backdoor variations, and it is possible that the same methods are used in assaults on other industries as well, according to Trend Micro experts.
Tropic Trooper employs a multi-stage infection procedure in which flaws in Internet Information Services (IIS), as well as Microsoft Exchange (including ProxyLogon), are abused for penetration. Then the attackers install web shells as well as deploy the Nerapack.NET loader and the Quasar RAT.
Depending on the victim, several sorts of second-stage backdoors, such as ChiserClient and SmileSvr, are used. The hackers then initiate Active Directory (AD) discovery, propagate over the network via Server Message Block (SMB), and attempt to collect user credentials.
“We found that the threat group developed multiple backdoors capable of communication via common network protocols. We think this indicates that it has the capability to bypass network security systems by using these common protocols to transfer data. We also found that the group tries to launch various backdoors per victim,” Trend Micro said.
The used backdoors may download files, write/read files, open command shells for command execution, upload files, list directories as well as files, and more depending on inputs received from the command and control (C&C) server. Backdoors that support various protocols are employed depending on the victim.
“These threat actors are notably sophisticated and well-equipped. Looking deeper into the new methods the group uses, we found that it has an arsenal of tools capable of assessing and then compromising its targets while remaining under the radar,” Trend Micro added.