December 7, 2022

TheCyberThrone

Thinking Security ! Always

Tropic Trooper New Espionage Campaign

Researchers have spotted a new campaign linked with the Chinese hacking group, Tropic Trooper. The campaign used the Nimbda loader and a new variant of the Yahoyah trojan.

The attackers extended the AES specification in a custom implementation by performing the inverted sequence of round operations twice. The trojan is bundled SMS Bomber, which is used for DoS attacks against phones.

Infection Chain

The infection starts with downloading a malicious version of SMS Bomber, which contains the tool’s binary and standard functionality. 

The download has been modified to add additional code that injects into a notepad[.]exe process. The downloaded .exe file is the Nimbda loader that has SMS Bomber as an embedded executable.

The Yahoyah variant 

The Nimbda loader injects shellcode inside the notepad process to reach a GitHub repository, gets an obfuscated executable, decodes, and executes it using process hollowing in dllhost[.]exe.

This payload is a new variant of Yahoyah, which collects data about the host and then sends it to the C2 server. The collected information includes MAC address, computer name, and OS version, among others.

The final payload, dropped by the Yahoyah executable, is inserted in a JPG image using steganography. The .exe is spotted as a TClient backdoor, used by Tropic Trooper in several past campaigns.

It is strongly recommended to protect sensitive information with encryption and proper access control.

Indicators of Compromise

  • 8ee94c4d4e13bf59524e1d3eb9c8c846
  • 916e8b1a9d91f3649b33dd8bc0f09a8d
  • 8b7b602e05604f61685a2cbfc16313af
  • 68a3198fd77a063f46a1d3cddb266f02
  • fa9b9fbaf58ad3a1b83c6f98e67446c7
  • ca88c5d5f4409179b3820db7ce6b68fb
  • fc7b582befae6a03830c47fa2a5a8a27
  • a517859ee63713fa364e960def411433
  • 64b9cf63f03eaab3959e20a2cd23b704
  • 7f8b4a962edea1dd9d552fbc907f76bb
  • 4207445f6cddc36d4a22151db7432158
  • 560545cddf3cba248702d0edb7fabff3
  • 87b97be92584f86dc58bf444dfe85f9d
  • 87f62453c5b8d5bd8cc6d599f1326c43
  • 17c87aba7eccc2148672d9e61e509906
  • 1e7df4685b1d4a6886215d2b0a8d9370
  • 8d4e128b6701f70f7337e2a479a7ec5e
  • 4949147393b623d3f99b858bc6467c06
  • 7c4cd57219d560084075beecc81532d7
  • 0cbca21300763c6059ccdf8f0fd46319
  • f58f23c9478ca8d1bbdc7be78e7e42e0
  • 2a68a55b226abc4e7aa940471088ceab
  • 223e675ddbdf74c560886f90fc114297
  • 93f06130c7c17502bcc1a7900057898c
  • 88c92306a190bcf1fd1f54fb327ce124
  • 3de8c5952bf1147839399dde1eb05ce4
  • 2e8a8e03e82649d46c5deee2f54ce470
  • 760a41f6d3cac656d72d8f3d198ab9dd

Domain

  • ak[.]buycheap[.]cn
  • api[.]cnicchina[.]com
  • 45[.]76[.]218[.]247
  • 159[.]75[.]83[.]212
  • 134[.]175[.]197[.]144
  • 106[.]53[.]120[.]204
  • 43[.]129[.]177[.]152
  • 49[.]232[.]142[.]8
  • 82[.]156[.]178[.]135
  • 159[.]75[.]81[.]151
  • 118[.]195[.]161[.]141
  • 159[.]75[.]144[.]13
  • 212[.]182[.]121[.]97
  • 45[.]77[.]178[.]47
  • 155[.]138[.]155[.]181
  • 132[.]232[.]92[.]218
  • 101[.]32[.]36[.]76
  • 43[.]154[.]74[.]7
  • 43[.]154[.]88[.]192
  • 43[.]154[.]85[.]5
  • 43[.]134[.]194[.]237
  • 82[.]157[.]51[.]214
  • 150[.]109[.]114[.]190
  • 82[.]157[.]62[.]199
%d bloggers like this: