APT

Tropic Trooper APT Expands into Middle Eastern Targets, Leveraging China Chopper Web Shell

Traditionally known for targeting Taiwan, the Philippines, and Hong Kong entities. This recent campaign, however, represents a strategic expansion, as Tropic Trooper shifted its focus toward government entities in the Middle East, particularly those involved in human rights studies.

The original image was generated by OpenAI's DALL-E and edited by the author. Source: OpenAI (September 2024)

Introduction

On September 5, 2024, a newly released report detailed ongoing cyber espionage campaigns conducted by Tropic Trooper, a Chinese-speaking Advanced Persistent Threat (APT) group traditionally known for targeting Taiwan, the Philippines, and Hong Kong entities. This recent campaign, however, represents a strategic expansion, as Tropic Trooper shifted its focus toward government entities in the Middle East, particularly those involved in human rights studies. The group initiated its attacks in June 2023, and the malware utilized includes a modified China Chopper web shell embedded in the Umbraco CMS.

Report Overview

Tropic Trooper, also known as KeyBoy or Pirate Panda, has been active since 2011, engaging in cyber espionage against government, healthcare, and high-tech sectors. In this newly identified campaign, the attackers targeted a public web server running Umbraco CMS, which triggered several telemetry alerts beginning in June 2024. The alerts were caused by a previously unseen variant of the China Chopper web shell.

Researchers investigating the intrusion discovered that the attackers had dropped various post-exploitation tools, including multiple malware families. This marked a new vector for the group, utilizing Umbraco CMS for malware delivery, a technique not previously associated with Tropic Trooper.

The China Chopper web shell, well-known for its command-and-control functionality, was embedded as a .NET module within Umbraco CMS. The web shell was hidden inside legitimate paths within the server's root directory, bypassing initial detection due to its obfuscated nature.

Webshell Path: c:\microsoft.net\framework64\v4.0.30319\temporary asp.net files\root
Hash Information:
- MD5: 3f15c4431ad4573344ad56e8384ebd62
- SHA-256: 8df9fa495892fc3d183917162746ef8fd9e438ff0d639264236db553b09629dc

The attack sequence showed Tropic Trooper leveraging DLL search-order hijacking to deploy a custom loader named Crowdoor. This loader shares similarities with previously known backdoors, such as SparrowDoor, to which Tropic Trooper was attributed in earlier campaigns. The attackers used various post-exploitation tools such as Fscan for lateral movement and Swor for defence evasion and exploitation of vulnerable systems.

Insights and Analysis

The attack primarily targeted critical governmental entities in the Middle East, focusing on those related to human rights. Using Umbraco CMS as a vector to drop malware represents an evolution in Tropic Trooper’s tactics, indicating that the group has broadened its range of targets.

Given the group's interest in espionage, the potential consequences of this intrusion are severe. Any compromise of sensitive government data could have significant geopolitical repercussions. The involvement of a China Chopper variant, combined with post-exploitation tools, suggests that Tropic Trooper is capable of sophisticated attacks, likely aiming to exfiltrate classified data from its targets.

Organizations using Umbraco CMS or similar platforms should ensure that their systems are up to date and patched against known vulnerabilities, such as CVE-2021-34473 and CVE-2021-31207 in Microsoft Exchange, which the attackers reportedly exploited. Additionally, administrators are encouraged to implement robust detection and response mechanisms to identify and neutralize malicious implants early in the attack chain.