Cybersecurity research experts have uncovered a new hacking effort linked to the Chinese hacktivist group “Tropic Trooper” that makes use of the Nimbda loader and a new version of the Yahoyah trojan.
The trojan is included in a greyware program called “SMS Bomber,” which is used to bombard phones with messages in denial-of-service (DoS) attacks. These kinds of tools are frequently employed by “beginner” threat actors that intend to attack websites. According to research by Check Point, the threat actors also exhibit in-depth cryptographic understanding in a customized implementation of the AES standard.
Downloading a malicious version of SMS Bomber, including the tool’s binaries and common features, triggers the infection. The file has been altered, though, to contain additional malware that injects into the notepad.exe process. The downloaded software is actually the “Nimbda” loader, which uses the SMS Bomber icon and has an embedded copy of SMS Bomber.
The loader inserts shellcode into the notepad process in the background so that it can access a GitHub repository, download an executable that has been encrypted, decode it, and then launch it via process hollowing in ‘dllhost.exe.’ The new Yahoyah version used in this payload gathers information about the host and transmits it to the C2 server. The following is a list of the information that Yahoyah has collected:
- local wireless network SSIDs in the victim machine’s vicinity
- MAC address
- computer name
- OS version
- presence of WeChat and Tencent files
- installed AV products
The final payload is encoded as a JPG picture using stenography and dumped by the Yahoyah executable. It is known by Check Point as “TClient,” a backdoor Tropic Trooper employed in earlier campaigns.
Yahoyah is encrypted using a special AES implementation created by Check Point that double-rounds the inverted sequence of operations. This does not make encryption more secure but makes sample analysis exceedingly challenging, deterring less tenacious researchers or making their task much more tiresome.
“Getting an analyst to go through that entire rigmarole is a cruel and effective feat, especially for the meager cost on the malware author’s side,” comments Check Point. “They just need the knowledge and self-confidence to mess with the crypto in a way that will not render it nonoperational.”
The sophisticated threat actor known as Tropic Trooper targets Russian government personnel with phishing attacks. Trojanizing “SMS Bomb” suggests precision, focused targeting, indicating that the choice was probably made using information gleaned from earlier espionage. This effort reveals Tropic Trooper’s ability to create whatever decoy required for their activities, as well as their expertise in cryptography and malware creation, even when the precise targeting scope is unknown.