June 6, 2023

Researchers have spotted a new campaign linked with the Chinese hacking group, Tropic Trooper. The campaign used the Nimbda loader and a new variant of the Yahoyah trojan.

The attackers extended the AES specification in a custom implementation by performing the inverted sequence of round operations twice. The trojan is bundled SMS Bomber, which is used for DoS attacks against phones.

Infection Chain

The infection starts with downloading a malicious version of SMS Bomber, which contains the tool’s binary and standard functionality. 

The download has been modified to add additional code that injects into a notepad[.]exe process. The downloaded .exe file is the Nimbda loader that has SMS Bomber as an embedded executable.

The Yahoyah variant 

The Nimbda loader injects shellcode inside the notepad process to reach a GitHub repository, gets an obfuscated executable, decodes, and executes it using process hollowing in dllhost[.]exe.

This payload is a new variant of Yahoyah, which collects data about the host and then sends it to the C2 server. The collected information includes MAC address, computer name, and OS version, among others.

The final payload, dropped by the Yahoyah executable, is inserted in a JPG image using steganography. The .exe is spotted as a TClient backdoor, used by Tropic Trooper in several past campaigns.

It is strongly recommended to protect sensitive information with encryption and proper access control.

Indicators of Compromise

  • 8ee94c4d4e13bf59524e1d3eb9c8c846
  • 916e8b1a9d91f3649b33dd8bc0f09a8d
  • 8b7b602e05604f61685a2cbfc16313af
  • 68a3198fd77a063f46a1d3cddb266f02
  • fa9b9fbaf58ad3a1b83c6f98e67446c7
  • ca88c5d5f4409179b3820db7ce6b68fb
  • fc7b582befae6a03830c47fa2a5a8a27
  • a517859ee63713fa364e960def411433
  • 64b9cf63f03eaab3959e20a2cd23b704
  • 7f8b4a962edea1dd9d552fbc907f76bb
  • 4207445f6cddc36d4a22151db7432158
  • 560545cddf3cba248702d0edb7fabff3
  • 87b97be92584f86dc58bf444dfe85f9d
  • 87f62453c5b8d5bd8cc6d599f1326c43
  • 17c87aba7eccc2148672d9e61e509906
  • 1e7df4685b1d4a6886215d2b0a8d9370
  • 8d4e128b6701f70f7337e2a479a7ec5e
  • 4949147393b623d3f99b858bc6467c06
  • 7c4cd57219d560084075beecc81532d7
  • 0cbca21300763c6059ccdf8f0fd46319
  • f58f23c9478ca8d1bbdc7be78e7e42e0
  • 2a68a55b226abc4e7aa940471088ceab
  • 223e675ddbdf74c560886f90fc114297
  • 93f06130c7c17502bcc1a7900057898c
  • 88c92306a190bcf1fd1f54fb327ce124
  • 3de8c5952bf1147839399dde1eb05ce4
  • 2e8a8e03e82649d46c5deee2f54ce470
  • 760a41f6d3cac656d72d8f3d198ab9dd

Domain

  • ak[.]buycheap[.]cn
  • api[.]cnicchina[.]com
  • 45[.]76[.]218[.]247
  • 159[.]75[.]83[.]212
  • 134[.]175[.]197[.]144
  • 106[.]53[.]120[.]204
  • 43[.]129[.]177[.]152
  • 49[.]232[.]142[.]8
  • 82[.]156[.]178[.]135
  • 159[.]75[.]81[.]151
  • 118[.]195[.]161[.]141
  • 159[.]75[.]144[.]13
  • 212[.]182[.]121[.]97
  • 45[.]77[.]178[.]47
  • 155[.]138[.]155[.]181
  • 132[.]232[.]92[.]218
  • 101[.]32[.]36[.]76
  • 43[.]154[.]74[.]7
  • 43[.]154[.]88[.]192
  • 43[.]154[.]85[.]5
  • 43[.]134[.]194[.]237
  • 82[.]157[.]51[.]214
  • 150[.]109[.]114[.]190
  • 82[.]157[.]62[.]199
Tags:

Leave a Reply

You may have missed

Byte Code Bites PYPI

Byte Code Bites PYPI

June 5, 2023
Enzo Biochem Suffers a Data Breach

Enzo Biochem Suffers a Data Breach

June 5, 2023
BlackSuit Ransomware Dissection

BlackSuit Ransomware Dissection

June 4, 2023
TheCyberThrone CyberSecurity Newsletter Top 5 Articles – May, 2023

TheCyberThrone CyberSecurity Newsletter Top 5 Articles – May, 2023

June 4, 2023
Cisco buys Armorblox

Cisco buys Armorblox

June 3, 2023
CISA KEV Update Part I – May 2023

CISA KEV Update Part I – May 2023

June 3, 2023
%d bloggers like this: