According to Trend Micro, a Chinese state-sponsored threat actor known as ‘Tropic Trooper’ has been targeting transportation companies and government bodies since the middle of 2020. The Advanced Persistent Threat (APT), aka KeyBoy and Earth Centaur, has been active in Hong Kong, the Philippines, and Taiwan since 2011, conducting espionage activities targeting businesses in the government, high-tech, healthcare, and transportation sectors.
Trend Micro said the gang sought to acquire flight schedules, financial plans, and other internal documents at the target firms, as well as any personal data available on the compromised hosts, including search history, as part of the cyberattacks over the previous year and a half.
According to Trend Micro’s surveillance of the organization, the attacker can quickly circumvent security settings, keep its operations from becoming obstructive, and use reverse proxies to get around network security measures. The APT has also been seen employing open-source frameworks, allowing it to create new backdoor versions quickly. The Trend Micro analysts believe it uses the same approach in cyberattacks on other industries.
Tropic Trooper employs a multi-stage infection procedure in which vulnerabilities in Internet Information Services (IIS) and Microsoft Exchange (including ProxyLogon) are used to get access. As part of the first-stage malware, the attackers install web shells and distribute the Nerapack.NET loader and the Quasar RAT. Different types of second-stage backdoors are used depending on the victim, such as ChiserClient and SmileSvr. The attackers then make Active Directory (AD) discovery, propagate throughout the network via Server Message Block (SMB), and attempt to steal login credentials.
“We found that the threat group developed multiple backdoors capable of communication via common network protocols. We think this indicates that it has the capability to bypass network security systems by using these common protocols to transfer data. We also found that the group tries to launch various backdoors per victim,” Trend Micro stated.
The used backdoors may download files, open command shells for command execution, write/read files, list directories and files, upload files, and more based on commands received from the command and control (C&C) server. Backdoors that support multiple protocols are employed depending on the victim.
Trend Micro further said that these threat actors are incredibly well-equipped and clever. They dug deeper into the group’s new tactics and discovered that it has a toolbox capable of analyzing and then compromising targets while remaining undetected.