Cервис управления информационной безопасностью
Cервис управления информационной безопасностью
Вход Регистрация
MITRE ATT&CK - Преступная группа Tropic Trooper
Каталоги
MITRE ATT&CK
БДУ ФСТЭК
Новая БДУ ФСТЭК
Риски
Каталоги
MITRE ATT&CK
Преступная группа
Tropic Trooper
Куда я попал?
SECURITM это SGRC система, ? автоматизирующая процессы в службах информационной безопасности. SECURITM помогает построить и управлять ИСПДн, КИИ, ГИС, СМИБ/СУИБ, банковскими системами защиты.
А еще SECURITM это место для обмена опытом и наработками для служб безопасности.
Подробнее
Наш канал

Tropic Trooper

Tropic Trooper is an unaffiliated threat group that has led targeted campaigns against targets in Taiwan, the Philippines, and Hong Kong. Tropic Trooper focuses on targeting government, healthcare, transportation, and high-tech industries and has been active since 2011.(Citation: TrendMicro Tropic Trooper Mar 2018)(Citation: Unit 42 Tropic Trooper Nov 2016)(Citation: TrendMicro Tropic Trooper May 2020)
ID: G0081
Associated Groups: Pirate Panda, KeyBoy
Version: 1.4
Created: 29 Jan 2019
Last Modified: 26 Apr 2021

Associated Group Descriptions
Name Description
Pirate Panda (Citation: Crowdstrike Pirate Panda April 2020)
KeyBoy (Citation: Unit 42 Tropic Trooper Nov 2016)(Citation: TrendMicro Tropic Trooper Mar 2018)

Techniques Used
Domain ID Name Use
Enterprise T1071 .001 Application Layer Protocol: Web Protocols

Tropic Trooper has used HTTP in communication with the C2.(Citation: Anomali Pirate Panda April 2020)(Citation: TrendMicro Tropic Trooper May 2020)
.004 Application Layer Protocol: DNS

Tropic Trooper's backdoor has communicated to the C2 over the DNS protocol.(Citation: TrendMicro Tropic Trooper May 2020)

Enterprise T1547 .001 Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder

Tropic Trooper has created shortcuts in the Startup folder to establish persistence.(Citation: Anomali Pirate Panda April 2020)(Citation: TrendMicro Tropic Trooper May 2020)
.004 Boot or Logon Autostart Execution: Winlogon Helper DLL

Tropic Trooper has created the Registry key HKCU\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell and sets the value to establish persistence.(Citation: Unit 42 Tropic Trooper Nov 2016)(Citation: TrendMicro Tropic Trooper May 2020)

Enterprise T1059 .003 Command and Scripting Interpreter: Windows Command Shell

Tropic Trooper has used Windows command scripts.(Citation: TrendMicro Tropic Trooper May 2020)

Enterprise T1543 .003 Create or Modify System Process: Windows Service

Tropic Trooper has installed a service pointing to a malicious DLL dropped to disk.(Citation: PWC KeyBoys Feb 2017)
Enterprise T1132 .001 Data Encoding: Standard Encoding

Tropic Trooper has used base64 encoding to hide command strings delivered from the C2.(Citation: TrendMicro Tropic Trooper May 2020)
Enterprise T1573 .002 Encrypted Channel: Asymmetric Cryptography

Tropic Trooper has used SSL to connect to C2 servers.(Citation: TrendMicro Tropic Trooper Mar 2018)(Citation: TrendMicro Tropic Trooper May 2020)
Enterprise T1052 .001 Exfiltration Over Physical Medium: Exfiltration over USB

Tropic Trooper has exfiltrated data using USB storage devices.(Citation: TrendMicro Tropic Trooper May 2020)

Enterprise T1564 .001 Hide Artifacts: Hidden Files and Directories

Tropic Trooper has created a hidden directory under C:\ProgramData\Apple\Updates\ and C:\Users\Public\Documents\Flash\.(Citation: TrendMicro Tropic Trooper Mar 2018)(Citation: TrendMicro Tropic Trooper May 2020)
Enterprise T1574 .002 Hijack Execution Flow: DLL Side-Loading

Tropic Trooper has been known to side-load DLLs using a valid version of a Windows Address Book and Windows Defender executable with one of their tools.(Citation: CitizenLab KeyBoy Nov 2016)(Citation: Anomali Pirate Panda April 2020)
Enterprise T1070 .004 Indicator Removal: File Deletion

Tropic Trooper has deleted dropper files on an infected system using command scripts.(Citation: TrendMicro Tropic Trooper May 2020)

Enterprise T1036 .005 Masquerading: Match Legitimate Name or Location

Tropic Trooper has hidden payloads in Flash directories and fake installer files.(Citation: TrendMicro Tropic Trooper May 2020)
Enterprise T1027 .003 Obfuscated Files or Information: Steganography

Tropic Trooper has used JPG files with encrypted payloads to mask their backdoor routines and evade detection.(Citation: TrendMicro Tropic Trooper May 2020)
Enterprise T1566 .001 Phishing: Spearphishing Attachment

Tropic Trooper sent spearphishing emails that contained malicious Microsoft Office and fake installer file attachments.(Citation: Unit 42 Tropic Trooper Nov 2016)(Citation: TrendMicro TropicTrooper 2015)(Citation: CitizenLab Tropic Trooper Aug 2018)(Citation: Anomali Pirate Panda April 2020)(Citation: TrendMicro Tropic Trooper May 2020)
Enterprise T1055 .001 Process Injection: Dynamic-link Library Injection

Tropic Trooper has injected a DLL backdoor into dllhost.exe and svchost.exe.(Citation: TrendMicro Tropic Trooper Mar 2018)(Citation: TrendMicro Tropic Trooper May 2020)
Enterprise T1505 .003 Server Software Component: Web Shell

Tropic Trooper has started a web service in the target host and wait for the adversary to connect, acting as a web shell.(Citation: TrendMicro Tropic Trooper May 2020)

Enterprise T1518 .001 Software Discovery: Security Software Discovery

Tropic Trooper can search for anti-virus software running on the system.(Citation: Unit 42 Tropic Trooper Nov 2016)
Enterprise T1204 .002 User Execution: Malicious File

Tropic Trooper has lured victims into executing malware via malicious e-mail attachments.(Citation: Anomali Pirate Panda April 2020)
Enterprise T1078 .003 Valid Accounts: Local Accounts

Tropic Trooper has used known administrator account credentials to execute the backdoor directly.(Citation: TrendMicro Tropic Trooper May 2020)

Software
ID Name References Techniques
S0387 KeyBoy (Citation: CitizenLab KeyBoy Nov 2016) (Citation: CitizenLab Tropic Trooper Aug 2018) (Citation: PWC KeyBoys Feb 2017) (Citation: Rapid7 KeyBoy Jun 2013) (Citation: Unit 42 Tropic Trooper Nov 2016) System Network Configuration Discovery, System Information Discovery, Windows Service, Python, Hidden Window, Protocol Impersonation, Keylogging, Obfuscated Files or Information, Timestomp, Ingress Tool Transfer, File and Directory Discovery, Visual Basic, Dynamic Data Exchange, PowerShell, Screen Capture, Windows Command Shell, Credentials from Web Browsers, Winlogon Helper DLL, Commonly Used Port
S0190 BITSAdmin (Citation: Microsoft BITSAdmin) (Citation: TrendMicro Tropic Trooper Mar 2018) Lateral Tool Transfer, Exfiltration Over Unencrypted Non-C2 Protocol, Ingress Tool Transfer, BITS Jobs
S0452 USBferry (Citation: TrendMicro Tropic Trooper May 2020) Local Account, Remote System Discovery, File and Directory Discovery, Peripheral Device Discovery, System Network Configuration Discovery, Windows Command Shell, Replication Through Removable Media, Rundll32, Data from Local System, Process Discovery, System Network Connections Discovery
S0012 PoisonIvy (Citation: Breut) (Citation: Darkmoon) (Citation: FireEye Poison Ivy) (Citation: Novetta-Axiom) (Citation: Poison Ivy) (Citation: Symantec Darkmoon Aug 2005) (Citation: Symantec Darkmoon Sept 2014) (Citation: Symantec Elderwood Sept 2012) (Citation: Unit 42 Tropic Trooper Nov 2016) Windows Service, Modify Registry, Uncommonly Used Port, Registry Run Keys / Startup Folder, Obfuscated Files or Information, Keylogging, Active Setup, Dynamic-link Library Injection, Local Data Staging, Windows Command Shell, Ingress Tool Transfer, Symmetric Cryptography, Data from Local System, Application Window Discovery, Rootkit
S0388 YAHOYAH (Citation: TrendMicro TropicTrooper 2015) System Information Discovery, Ingress Tool Transfer, Security Software Discovery, Deobfuscate/Decode Files or Information, Web Protocols, Obfuscated Files or Information
S0596 ShadowPad (Citation: FireEye APT41 Aug 2019) (Citation: Kaspersky ShadowPad Aug 2017) (Citation: POISONPLUG.SHADOW) (Citation: Recorded Future RedEcho Feb 2021) (Citation: Securelist ShadowPad Aug 2017) System Owner/User Discovery, Modify Registry, System Time Discovery, Indicator Removal, Deobfuscate/Decode Files or Information, Indicator Removal, System Network Configuration Discovery, Scheduled Transfer, Process Discovery, DNS, Non-Standard Encoding, File Transfer Protocols, Non-Application Layer Protocol, Obfuscated Files or Information, Web Protocols, Process Injection, System Information Discovery, Domain Generation Algorithms, Ingress Tool Transfer, Dynamic-link Library Injection

References

  1. Insikt Group. (2021, February 28). China-Linked Group RedEcho Targets the Indian Power Sector Amid Heightened Border Tensions. Retrieved March 22, 2021.
  2. Chen, J.. (2020, May 12). Tropic Trooper’s Back: USBferry Attack Targets Air gapped Environments. Retrieved May 20, 2020.
  3. Moore, S. et al. (2020, April 30). Anomali Suspects that China-Backed APT Pirate Panda May Be Seeking Access to Vietnam Government Data Center. Retrieved May 19, 2020.
  4. Ray, V. (2016, November 22). Tropic Trooper Targets Taiwanese Government and Fossil Fuel Provider With Poison Ivy. Retrieved November 9, 2018.
  5. Alintanahin, K. (2015). Operation Tropic Trooper: Relying on Tried-and-Tested Flaws to Infiltrate Secret Keepers. Retrieved June 14, 2019.
  6. Alexander, G., et al. (2018, August 8). Familiar Feeling: A Malware Campaign Targeting the Tibetan Diaspora Resurfaces. Retrieved June 17, 2019.
  7. Hulcoop, A., et al. (2016, November 17). It’s Parliamentary KeyBoy and the targeting of the Tibetan Community. Retrieved June 13, 2019.
  8. Horejsi, J., et al. (2018, March 14). Tropic Trooper’s New Strategy. Retrieved November 9, 2018.
  9. Parys, B. (2017, February 11). The KeyBoys are back in town. Retrieved June 13, 2019.
  10. Busselen, M. (2020, April 7). On-demand Webcast: CrowdStrike Experts on COVID-19 Cybersecurity Challenges and Recommendations. Retrieved May 20, 2020.
Навигация

Мы используем cookie-файлы, чтобы получить статистику, которая помогает нам улучшить сервис для вас с целью персонализации сервисов и предложений. Вы может прочитать подробнее о cookie-файлах или изменить настройки браузера. Продолжая пользоваться сайтом, вы даёте согласие на использование ваших cookie-файлов и соглашаетесь с Политикой обработки персональных данных.