Tropic Trooper Espionage

A sophisticated and well equipped cyber espionage group in what appears to be yet another uptick in malicious activities tried to access some internal documents and personal information on the compromised hosts. Dubbed Earth Centaur, also known by the monikers Pirate Panda and Tropic Trooper, is a long-running threat group focused on information theft and espionage that has led targeted campaigns.

The hostile agents, believed to be a Chinese speaking actor, are known for their use of spear-phishing emails with weaponized attachments to exploit known vulnerabilities, while simultaneously advancing their malicious tools with obfuscation, stealthiness, and striking power.

Advertisements

This threat group is proficient at red teamwork, knows how to bypass security settings and keep its operation unobstructive. The usage of the open-source frameworks also allows the group to develop new backdoor variants efficiently.

The operators were observed fine-tuning their attack strategies with new behaviors by deploying a USB trojan dubbed USBFerry to strike physically isolated networks belonging to government institutions and military entities in Taiwan and the Philippines in a bid to siphon sensitive data through removable flash drives.

The latest multi stage intrusion sequence involves the group turning to exploit vulnerable IIS servers and Exchange server flaws as entry points to install a web shell that’s then leveraged to deliver a .NET-based Nerapack loader and a first-stage backdoor known as Quasar on the compromised system.

The attackers follow it up by dropping an arsenal of second stage implants like ChiserClient, SmileSvr, ChiserClient, HTShell, and bespoke versions of Lilith RAT and Gh0st RAT depending on the victim to retrieve further instructions from a remote server, download additional payloads, perform file operations, execute arbitrary commands, and exfiltrate results back to the server.

Tropic Trooper also attempts to breach the intranet, dump credentials, and wipe out event logs from the infected machines using a specific set of tools. Also put to use is a command-line program called Rclone that enables the actor to copy harvested data to different cloud storage providers.

Indicators of Compromise

Loaders – Trojan.MSIL.NERAPACK

12425edb2c50eac79f06bf228cb2dd77bb1e847c4c4a2049c91e0c5b345df5f2
321febf2bc5603b58628e3a82fb063027bf175252a3b30869eccb90a78e59582
3ad24a438b9a67e4eff7ca7d34b06d5efc24b824e3e346488d534532faa619da
dd1afc083b7d82444fcec99e01e8293d51f744201cb968346ec334fb5dd32495
e488f0015f14a0eff4b756d10f252aa419bc960050a53cc04699d5cc8df86c8a
6b1b231a7d190651f8c89072e2514aade288dfe6bd87ea62171b6ecffe13d63e
e4a15537f767332a7ed08009f4e0c5a7b65e8cbd468eb81e3e20dc8dfc36aeed
a64e0c21494811ededf5d8af41b00937c1d5787d63dfcc399a7f32c19a553c99
c6cac51035ef7df22c8ff3b5ba204721cdae97bc4728b0de68db1358c0c04035

Backdoors – Backdoor.Win64.CHISERCLIENT

ea2264f56ba315c4db49d06cce12365875502686f8f748570cb5a99cb213f008
182f07a00b93a00fae17b33fbfc25931afeddd80f075f241060b4338a49cd5cc
2167855743b9e488ce514c80f246fd5d0973a4296cb565f95517fa1dcfee8f74
c6f17d39905d2006020c326c13bb514a66bccc5a42d533aade00e09456ca5dec
97e9bf8032e11bb618a77fbe92489e972b0c92e2e30b26f594f6129ee1cec987
507b0280105da31739159703e418e3d1b1e6e6817362bf69e2da3c0b305af605
819afbdc46b3b8f3e4b71e64c48df14ce886a273ce3c93d7a402f4760405b1a4
b3c31192048576591a52bc025e82286d7d32429c2f0991e68d801555b2d74c65996aa9c937b610efd1ab5c0ab173fc9fa78a70b423a193c3e2b505519bde7807
7e72ee1052b018250810e41ac01065ebd833293ecfc363415b7d19dd31734d49

HackTool.Win64.FRP