2024-09-05 Tropic Trooper spies on government entities in the Middle East

📃Title: Tropic Trooper spies on government entities in the Middle East
📅Date: 2024-09-05
🔗References:

• https://securelist.com/new-tropic-trooper-web-shell-infection/113737/

Description

Tropic Trooper, a Chinese-speaking APT group active since 2011, has expanded its operations to target government entities in the Middle East. The group deployed a new variant of the China Chopper web shell on a compromised Umbraco CMS server, along with other post-exploitation tools and backdoor implants. The attackers used DLL search-order hijacking to load malicious payloads, including a loader called Crowdoor. The campaign focused on cyber espionage, targeting systems related to human rights studies in the region. This marks a strategic shift for Tropic Trooper, previously known for targeting Southeast Asian countries.

🔖Rectifyq Taxonomies:

• relevancy: 🔴 Highly Relevant
• category: ⚔Threat
• sub-category: campaign-analysis
• target: targeted
• MY-relevancy: relevant

🔖MISP Galaxies:

• producer Kaspersky
• target-information=“Malaysia”
• threat-actor APT23
• region=“145 - Western Asia”
• sector=“Government, Administration”
• mitre-malware=“China Chopper - S0020”
• malpedia=“SparrowDoor”
• mitre-attack-pattern=[‘T1033’, ‘T1543.003’, ‘T1574.001’, ‘T1082’, ‘T1036’, ‘T1055’, ‘T1589’, ‘T1021’, ‘T1505.003’, ‘T1016’, ‘T1083’, ‘T1057’, ‘T1059.001’, ‘T1547.001’, ‘T1588.002’, ‘T1566’, ‘T1027’, ‘T1059.003’, ‘T1105’]

MISP event uuid: a9c8d390-6524-4a0e-b05b-6d1a8b6d0082

Indicator of Compromise (IoCs)

type,value,comment
domain, techmersion.com, ''
hostname, blog.techmersion.com, ''
md5, 3f15c4431ad4573344ad56e8384ebd62, 'Umbraco Webshell'
md5, 78b47dda664545542ed3abe17400c354, 'Umbraco Webshell'
md5, 3b7721715b2842cdff0ab72bd605a0ce, 'Umbraco Webshell'
md5, 868b8a5012e0eb9a48d2daf7cb7a5d87, 'Umbraco Webshell'
md5, 149a9e24dbe347c4af2de8d135aa4b76, 'Post-Exploitation Tool'
md5, 103e4c2e4ee558d130c8b59bfd66b4fb, 'Post-Exploitation Tool'
md5, e0d9215f64805e0bff03f4dc796fe52e, 'Post-Exploitation Tool'
md5, 27c558bd42744cddc9edb3fa597d0510, 'Post-Exploitation Tool'
md5, 4f950683f333f5ed779d70eb38cdadcf, 'Post-Exploitation Tool'
md5, fd8382efb0a16225896d584da56c182c, 'Tropic Trooper Loader'
md5, 1dd03936baf0fe95b7e5b54a9dd4a577, 'Tropic Trooper Loader'
md5, 8a900f742d0e3cd3898f37dbc3d6e054, 'Tropic Trooper Loader'
md5, a213873eb55dc092ddf3adbeb242bd44, 'Tropic Trooper Loader'
md5, dd7593e9ba80502505c958b9bbbf2838, 'Tropic Trooper Loader'
md5, 2c7ebd103514018bad223f25026d4db3, 'Tropic Trooper Loader'
md5, 0b9ae998423a207f021f8e61b93bc849, 'Tropic Trooper Loader'
md5, e845563ba35e8d227152165b0c3e769f, 'Tropic Trooper Loader'
ip-dst, 51.195.37.155, ''
ip-dst, 162.19.135.182, ''

Full IOCs available in Rectifyq's MISP```