Kaspersky’s Global Research and Analysis Team (GReAT) has identified a new advanced cyberespionage campaign carried out by the group known as Tropic Trooper. This operation has been targeting a government entity in the Middle East for over a year, with the purpose of continuous spying. The attackers managed to infiltrate and sustain themselves on the target network by leveraging the China Chopper web shell, as discovered by GReAT on an open source web server.
Tropic Trooper, also known as KeyBoy or Pirate Panda, has been active since at least 2011, targeting government, healthcare, transportation and high-tech sectors, primarily in regions such as Taiwan, the Philippines and Hong Kong. Recent Kaspersky research reveals that since June 2023, the group has launched new persistent cyberespionage campaigns against a government entity in the Middle East.
In June 2024, Kaspersky detected an updated variant of the China Chopper shell. GReAT analysis found that it was hidden as a module within the Umbraco CMS, a widely used content management system. The attackers used this platform to carry out a range of malicious activities, including data theft, remote control, malware deployment, and advanced techniques to avoid detection, all with the aim of performing cyber espionage.
The variation in skills employed during the different stages of cyber espionage, as well as their tactics after failure, is notable. When attackers realized that their backdoors had been located, They tried to upload newer versions to evade detectionthus increasing the likelihood that these new samples would be discovered in the near future”explains Sheriff MagdySenior Security Analyst at Kaspersky’s GReAT.
Cyberespionage in the Middle East
In addition, Kaspersky identified New DLL Search Order Hijacking Implantswhich were loaded from a legitimate but vulnerable executable due to the lack of a full path specification to the required DLL. This attack chain attempted to deploy the Crowdoor loader, named after the backdoor SparrowDoor detailed by ESET. When Kaspersky’s security measures blocked Crowdoor’s initial loader, the attackers quickly switched to a previously unreported variant with a similar impact.
Kaspersky’s Global Research and Analysis Team (GReAT) has discovered a new advanced persistent cyber espionage (APT) campaign carried out by the Tropic Trooper group
In this regard, Kaspersky experts attribute this activity to the Chinese-speaking threat actor known as Tropic TrooperTheir findings reveal significant overlaps in the techniques reported in recent campaigns of this malware. The samples analyzed by GReAT also show a strong correlation with those previously linked to Tropic Trooper.
Kaspersky observed this targeted intrusion in a government entity in the Middle East. Simultaneously, a subset of these samples was detected targeting a government entity in Malaysia. These incidents align with the typical targets and geographic focus described in recent reports on this malware. “Tropic Trooper APT typically targets governments, healthcare, transportation, and high-tech industries. The presence of this group’s tactics, techniques, and procedures (TTPs) within critical government entities in the Middle East, particularly those involved in human rights studies, indicates a strategic change in its operations. This information can help the threat intelligence community better understand the motives of this actor.”adds Magdy.
Safety Recommendations
To avoid becoming a victim of a targeted attack by a known or unknown threat actor, Kaspersky analysts recommend implementing the following measures:
- Provide your SOC team with access to the latest threat intelligenceKaspersky Threat Intelligence is a single point of access for the company’s threat intelligence, providing data and information on cyberattacks collected by Kaspersky for over 20 years.
- Improve the skills of your cybersecurity team to tackle the latest targeted threats with Kaspersky online training, developed by GReAT experts.
- To detect endpoints, investigate and remediate incidents, implement EDR solutions such as Kaspersky Next.
- In addition to adopting essential endpoint protection, Get a corporate-grade security solution that detects advanced threats on the network at an early stage, such as Kaspersky Anti Targeted Attack Platform.
- Since many targeted attacks begin with phishing or other social engineering techniques, Educate your team about security and teach them practical skillsfor example, via the Kaspersky Automated Security Awareness Platform.