Tropic Trooper's "unorthodox" Infection Chain

Industry: N/A | Level: Tactical | Source: Check Point

Check Point Research reports of new tracking activity cluster associated with Tropic Trooper targeting Chinese-speaking countries. Historically the group has targeted organizations in the Philippines, Hong Kong, and Taiwan. Much of the attacker's infrastructure is hosted with Chinese hosting providers. An observed infection chain begins with the Nimbda loader being dropped on the victim’s workstation. The loader drops another executable named SMS Bomber and injects shellcode into notepad.exe. The SMB Bomber is a Chinese GUI tool, written in EPL and used to flood a target's phone with messages. The injected shellcode communicates with the attacker's GitHub or Gitee repository to download a file named, EULA.md. Following a python script deobfuscates the IP address contained within the EULA.md file. An additional executable recognized as malware, TROJ_YAHOYAH is downloaded and executed by hallowing and injecting itself into a dllhost.exe process. The malware collects the host's local wireless networks and setups up persistence within the Windows run key. The final payload is known as TClient. The goal of the attack has not yet been determined, however, Check Point's hypothesis is a scheme based on misdirection, "Whoever crafted the Nim loader took special care to give it the same executable icon as the SMS Bomber that it drops and executes. Therefore the entire bundle works as a trojanized binary. That is: the victim launches what they think is just an SMS Bomber, but is actually an SMS Bomber plus a backdoor. An attack making use of such a trojanized binary is necessarily aimed at a rather unorthodox target — people who’d use such an “SMS Bomber” tool in the first place."

Anvilogic Scenario:

• Tropic Trooper - Nimbda Loader - Infection Chain

Anvilogic Use Cases:

• Executable Process from Suspicious Folder
• Rare Remote Thread
• Suspicious DLLhost Execution