April 19, 2024

Researchers have spotted a new campaign linked with the Chinese hacking group, Tropic Trooper. The campaign used the Nimbda loader and a new variant of the Yahoyah trojan.

The attackers extended the AES specification in a custom implementation by performing the inverted sequence of round operations twice. The trojan is bundled SMS Bomber, which is used for DoS attacks against phones.

Infection Chain

The infection starts with downloading a malicious version of SMS Bomber, which contains the tool’s binary and standard functionality. 

The download has been modified to add additional code that injects into a notepad[.]exe process. The downloaded .exe file is the Nimbda loader that has SMS Bomber as an embedded executable.

The Yahoyah variant 

The Nimbda loader injects shellcode inside the notepad process to reach a GitHub repository, gets an obfuscated executable, decodes, and executes it using process hollowing in dllhost[.]exe.

This payload is a new variant of Yahoyah, which collects data about the host and then sends it to the C2 server. The collected information includes MAC address, computer name, and OS version, among others.

The final payload, dropped by the Yahoyah executable, is inserted in a JPG image using steganography. The .exe is spotted as a TClient backdoor, used by Tropic Trooper in several past campaigns.

It is strongly recommended to protect sensitive information with encryption and proper access control.

Indicators of Compromise

  • 8ee94c4d4e13bf59524e1d3eb9c8c846
  • 916e8b1a9d91f3649b33dd8bc0f09a8d
  • 8b7b602e05604f61685a2cbfc16313af
  • 68a3198fd77a063f46a1d3cddb266f02
  • fa9b9fbaf58ad3a1b83c6f98e67446c7
  • ca88c5d5f4409179b3820db7ce6b68fb
  • fc7b582befae6a03830c47fa2a5a8a27
  • a517859ee63713fa364e960def411433
  • 64b9cf63f03eaab3959e20a2cd23b704
  • 7f8b4a962edea1dd9d552fbc907f76bb
  • 4207445f6cddc36d4a22151db7432158
  • 560545cddf3cba248702d0edb7fabff3
  • 87b97be92584f86dc58bf444dfe85f9d
  • 87f62453c5b8d5bd8cc6d599f1326c43
  • 17c87aba7eccc2148672d9e61e509906
  • 1e7df4685b1d4a6886215d2b0a8d9370
  • 8d4e128b6701f70f7337e2a479a7ec5e
  • 4949147393b623d3f99b858bc6467c06
  • 7c4cd57219d560084075beecc81532d7
  • 0cbca21300763c6059ccdf8f0fd46319
  • f58f23c9478ca8d1bbdc7be78e7e42e0
  • 2a68a55b226abc4e7aa940471088ceab
  • 223e675ddbdf74c560886f90fc114297
  • 93f06130c7c17502bcc1a7900057898c
  • 88c92306a190bcf1fd1f54fb327ce124
  • 3de8c5952bf1147839399dde1eb05ce4
  • 2e8a8e03e82649d46c5deee2f54ce470
  • 760a41f6d3cac656d72d8f3d198ab9dd

Domain

  • ak[.]buycheap[.]cn
  • api[.]cnicchina[.]com
  • 45[.]76[.]218[.]247
  • 159[.]75[.]83[.]212
  • 134[.]175[.]197[.]144
  • 106[.]53[.]120[.]204
  • 43[.]129[.]177[.]152
  • 49[.]232[.]142[.]8
  • 82[.]156[.]178[.]135
  • 159[.]75[.]81[.]151
  • 118[.]195[.]161[.]141
  • 159[.]75[.]144[.]13
  • 212[.]182[.]121[.]97
  • 45[.]77[.]178[.]47
  • 155[.]138[.]155[.]181
  • 132[.]232[.]92[.]218
  • 101[.]32[.]36[.]76
  • 43[.]154[.]74[.]7
  • 43[.]154[.]88[.]192
  • 43[.]154[.]85[.]5
  • 43[.]134[.]194[.]237
  • 82[.]157[.]51[.]214
  • 150[.]109[.]114[.]190
  • 82[.]157[.]62[.]199
Tags:

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.

You may have missed

Windows New Privilege Escalation on Sale in dark forum

April 19, 2024

HashiCorp Critical Vulnerability – CVE-2024-3817

April 18, 2024

Cisco Integrated Management Controller Vulnerabilities

April 18, 2024

Windows Kernel Vulnerability – CVE-2024-21338 PoC Exploit Released

April 17, 2024

Cisco Duo Identify Data Breach

April 17, 2024

Tanium new Automate Feature

April 16, 2024

Discover more from TheCyberThrone

Subscribe now to keep reading and get access to the full archive.

Continue reading