Tropic Trooper
Associated Group Descriptions |
|
| Name | Description |
|---|---|
| Pirate Panda | (Citation: Crowdstrike Pirate Panda April 2020) |
| KeyBoy | (Citation: Unit 42 Tropic Trooper Nov 2016)(Citation: TrendMicro Tropic Trooper Mar 2018) |
Techniques Used |
||||
| Domain | ID | Name | Use | |
|---|---|---|---|---|
| Enterprise | T1071 | .001 | Application Layer Protocol: Web Protocols |
Tropic Trooper has used HTTP in communication with the C2.(Citation: Anomali Pirate Panda April 2020)(Citation: TrendMicro Tropic Trooper May 2020) |
| .004 | Application Layer Protocol: DNS |
Tropic Trooper's backdoor has communicated to the C2 over the DNS protocol.(Citation: TrendMicro Tropic Trooper May 2020) |
||
| Enterprise | T1547 | .001 | Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder |
Tropic Trooper has created shortcuts in the Startup folder to establish persistence.(Citation: Anomali Pirate Panda April 2020)(Citation: TrendMicro Tropic Trooper May 2020) |
| .004 | Boot or Logon Autostart Execution: Winlogon Helper DLL |
Tropic Trooper has created the Registry key |
||
| Enterprise | T1059 | .003 | Command and Scripting Interpreter: Windows Command Shell |
Tropic Trooper has used Windows command scripts.(Citation: TrendMicro Tropic Trooper May 2020) |
| Enterprise | T1543 | .003 | Create or Modify System Process: Windows Service |
Tropic Trooper has installed a service pointing to a malicious DLL dropped to disk.(Citation: PWC KeyBoys Feb 2017) |
| Enterprise | T1132 | .001 | Data Encoding: Standard Encoding |
Tropic Trooper has used base64 encoding to hide command strings delivered from the C2.(Citation: TrendMicro Tropic Trooper May 2020) |
| Enterprise | T1573 | .002 | Encrypted Channel: Asymmetric Cryptography |
Tropic Trooper has used SSL to connect to C2 servers.(Citation: TrendMicro Tropic Trooper Mar 2018)(Citation: TrendMicro Tropic Trooper May 2020) |
| Enterprise | T1052 | .001 | Exfiltration Over Physical Medium: Exfiltration over USB |
Tropic Trooper has exfiltrated data using USB storage devices.(Citation: TrendMicro Tropic Trooper May 2020) |
| Enterprise | T1564 | .001 | Hide Artifacts: Hidden Files and Directories |
Tropic Trooper has created a hidden directory under |
| Enterprise | T1574 | .002 | Hijack Execution Flow: DLL Side-Loading |
Tropic Trooper has been known to side-load DLLs using a valid version of a Windows Address Book and Windows Defender executable with one of their tools.(Citation: CitizenLab KeyBoy Nov 2016)(Citation: Anomali Pirate Panda April 2020) |
| Enterprise | T1070 | .004 | Indicator Removal: File Deletion |
Tropic Trooper has deleted dropper files on an infected system using command scripts.(Citation: TrendMicro Tropic Trooper May 2020) |
| Enterprise | T1036 | .005 | Masquerading: Match Legitimate Name or Location |
Tropic Trooper has hidden payloads in Flash directories and fake installer files.(Citation: TrendMicro Tropic Trooper May 2020) |
| Enterprise | T1027 | .003 | Obfuscated Files or Information: Steganography |
Tropic Trooper has used JPG files with encrypted payloads to mask their backdoor routines and evade detection.(Citation: TrendMicro Tropic Trooper May 2020) |
| Enterprise | T1566 | .001 | Phishing: Spearphishing Attachment |
Tropic Trooper sent spearphishing emails that contained malicious Microsoft Office and fake installer file attachments.(Citation: Unit 42 Tropic Trooper Nov 2016)(Citation: TrendMicro TropicTrooper 2015)(Citation: CitizenLab Tropic Trooper Aug 2018)(Citation: Anomali Pirate Panda April 2020)(Citation: TrendMicro Tropic Trooper May 2020) |
| Enterprise | T1055 | .001 | Process Injection: Dynamic-link Library Injection |
Tropic Trooper has injected a DLL backdoor into dllhost.exe and svchost.exe.(Citation: TrendMicro Tropic Trooper Mar 2018)(Citation: TrendMicro Tropic Trooper May 2020) |
| Enterprise | T1505 | .003 | Server Software Component: Web Shell |
Tropic Trooper has started a web service in the target host and wait for the adversary to connect, acting as a web shell.(Citation: TrendMicro Tropic Trooper May 2020) |
| Enterprise | T1518 | .001 | Software Discovery: Security Software Discovery |
Tropic Trooper can search for anti-virus software running on the system.(Citation: Unit 42 Tropic Trooper Nov 2016) |
| Enterprise | T1204 | .002 | User Execution: Malicious File |
Tropic Trooper has lured victims into executing malware via malicious e-mail attachments.(Citation: Anomali Pirate Panda April 2020) |
| Enterprise | T1078 | .003 | Valid Accounts: Local Accounts |
Tropic Trooper has used known administrator account credentials to execute the backdoor directly.(Citation: TrendMicro Tropic Trooper May 2020) |
References
- Insikt Group. (2021, February 28). China-Linked Group RedEcho Targets the Indian Power Sector Amid Heightened Border Tensions. Retrieved March 22, 2021.
- Chen, J.. (2020, May 12). Tropic Trooper’s Back: USBferry Attack Targets Air gapped Environments. Retrieved May 20, 2020.
- Moore, S. et al. (2020, April 30). Anomali Suspects that China-Backed APT Pirate Panda May Be Seeking Access to Vietnam Government Data Center. Retrieved May 19, 2020.
- Ray, V. (2016, November 22). Tropic Trooper Targets Taiwanese Government and Fossil Fuel Provider With Poison Ivy. Retrieved November 9, 2018.
- Alintanahin, K. (2015). Operation Tropic Trooper: Relying on Tried-and-Tested Flaws to Infiltrate Secret Keepers. Retrieved June 14, 2019.
- Alexander, G., et al. (2018, August 8). Familiar Feeling: A Malware Campaign Targeting the Tibetan Diaspora Resurfaces. Retrieved June 17, 2019.
- Hulcoop, A., et al. (2016, November 17). It’s Parliamentary KeyBoy and the targeting of the Tibetan Community. Retrieved June 13, 2019.
- Horejsi, J., et al. (2018, March 14). Tropic Trooper’s New Strategy. Retrieved November 9, 2018.
- Parys, B. (2017, February 11). The KeyBoys are back in town. Retrieved June 13, 2019.
- Busselen, M. (2020, April 7). On-demand Webcast: CrowdStrike Experts on COVID-19 Cybersecurity Challenges and Recommendations. Retrieved May 20, 2020.
Мы используем cookie-файлы, чтобы получить статистику, которая помогает нам улучшить сервис для вас с целью персонализации сервисов и предложений. Вы может прочитать подробнее о cookie-файлах или изменить настройки браузера. Продолжая пользоваться сайтом, вы даёте согласие на использование ваших cookie-файлов и соглашаетесь с Политикой обработки персональных данных.