INTRODUCTION

Security experts identified new cyber espionage from the Chinese state-sponsored Advanced Persistent Threat (APT) group “Tropic Trooper” targeting transportation, health care, and government sectors across Hong Kong, the Philippines, and Taiwan. Also known as Earth Centaur and KeyBoy, the Tropic Trooper operators have been active since 2011, conducting various kinds of cyber campaigns.

The group managed to access certain internal documents like flight schedules, financial plan details, and other personal information on the compromised hosts.

Tropic Trooper’s Capabilities

• Proficient at red teamwork
• Bypasses security settings and keeps its operation unconstructive
• Uses backdoors with different protocols like a reverse proxy to bypass the monitoring of network security systems
• Leverages open-source frameworks to develop new backdoor variants

“We believe that it will continue collecting internal information from the compromised victims and that it is simply waiting for an opportunity to use this data. The activities we observed are just the tip of the iceberg, and their targets might be expanded to other industries that are related to transportation. It is our aim, through this article, to encourage enterprises to review their own security setting and protect themselves from damage and compromise,” Trend Micro said.

Tropic Trooper’s Attack Vector

Tropic Trooper initially exploited the vulnerable Internet Information Services (IIS) server and Exchange server vulnerabilities as entry points. The attackers deployed web shells, the .NET loader (Nerapack), and the first stage backdoor (Quasar remote administration tool aka Quasar RAT) on the compromised machine. Based on the victims, the actors installed various second-stage backdoors like ChiserClient and SmileSvr.

After successful exploitation, Tropic Trooper started Active Directory (AD) discovery and spread their tools via Server Message Block (SMB). Then, they used intranet penetration tools to build the connection between the victim’s intranet and their command-and-control (C&C) servers. The group reportedly used multiple tools to dump credentials on compromised machines.

The attackers dropping an arsenal of second-stage implants like ChiserClient, SmileSvr, ChiserClient, HTShell, and bespoke versions of Lilith RAT and Gh0st RAT depending on the victim to retrieve further instructions from:

• Remote server
• Download additional payloads
• Perform file operations
• Execute arbitrary commands
• Exfiltrate results back to the server.

Earth Centaur, also recognised by the monikers Pirate Panda and Tropic Trooper, is a very long-functioning danger team concentrated on info theft and espionage that has led targeted strategies against govt, healthcare, transportation, and superior-tech industries in Taiwan, the Philippines, and Hong Kong dating all the way back again to 2011.

Trend Micro

While analyzing samples, trend micro found that the C&C server was already inactive. Without knowing the traffic between SmileSvr and C&C server, trend micro could not fully understand all functions. However, most of the backdoor functions are listed here:

Command code Function 0x5001 Opens/Reads specified file 0x5002 Unknown 0x5004 Opens/Writes specified file 0x5006 Opens command shell 0x5007 Unknown 0x5009 Closes command shell 0x500A File System Traversal 0x500C Checks environment information 0x500E Unknown

As for the SSL version of SmileSvr, the capability of SSL communication is built by using wolf SSL, which is a lightweight, C-language based SSL/TLS library. The backdoor functions of SSL version SmileSvr are similar to the ICMP ones. The threat actors just use it to develop new ways to support data transfer via an encrypted channel.

Conclusion

The group can map their target’s network infrastructure and bypass firewalls. It uses backdoors with different protocols, which are deployed depending on the victim. It also has the capability to develop customized tools to evade security monitoring in different environments, and it exploits vulnerable websites and uses them as C&C servers.

For a list of the Indicators of Compromise: