1. Home
  2. Groups
  3. Tropic Trooper

Tropic Trooper

Tropic Trooper is an unaffiliated threat group that has led targeted campaigns against targets in Taiwan, the Philippines, and Hong Kong. Tropic Trooper focuses on targeting government, healthcare, transportation, and high-tech industries and has been active since 2011.[1][2][3]

ID: G0081
Associated Groups: Pirate Panda, KeyBoy
Contributors: Edward Millington
Version: 1.5
Created: 29 January 2019
Last Modified: 18 April 2024

Associated Group Descriptions

Name Description
Pirate Panda

[4]
KeyBoy

[2][1]
Enterprise Layer
download view

Techniques Used

Domain ID Name Use
Enterprise T1036 .005 伪装: Match Legitimate Name or Location

Tropic Trooper has hidden payloads in Flash directories and fake installer files.[3]
Enterprise T1543 .003 创建或修改系统进程: Windows Service

Tropic Trooper has installed a service pointing to a malicious DLL dropped to disk.[5]
Enterprise T1573 加密通道

Tropic Trooper has encrypted traffic with the C2 to prevent network detection.[3]
.002 Asymmetric Cryptography

Tropic Trooper has used SSL to connect to C2 servers.[1][3]
Enterprise T1574 .002 劫持执行流: DLL Side-Loading

Tropic Trooper has been known to side-load DLLs using a valid version of a Windows Address Book and Windows Defender executable with one of their tools.[6][7]
Enterprise T1140 反混淆/解码文件或信息

Tropic Trooper used shellcode with an XOR algorithm to decrypt a payload. Tropic Trooper also decrypted image files which contained a payload.[2][3]
Enterprise T1547 .001 启动或登录自动启动执行: Registry Run Keys / Startup Folder

Tropic Trooper has created shortcuts in the Startup folder to establish persistence.[7][3]
.004 启动或登录自动启动执行: Winlogon Helper DLL

Tropic Trooper has created the Registry key HKCU\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell and sets the value to establish persistence.[2][3]
Enterprise T1059 .003 命令与脚本解释器: Windows Command Shell

Tropic Trooper has used Windows command scripts.[3]

Enterprise T1203 客户端执行漏洞利用

Tropic Trooper has executed commands through Microsoft security vulnerabilities, including CVE-2017-11882, CVE-2018-0802, and CVE-2012-0158.[1][2]
Enterprise T1071 .001 应用层协议: Web Protocols

Tropic Trooper has used HTTP in communication with the C2.[7][3]
.004 应用层协议: DNS

Tropic Trooper's backdoor has communicated to the C2 over the DNS protocol.[3]

Enterprise T1132 .001 数据编码: Standard Encoding

Tropic Trooper has used base64 encoding to hide command strings delivered from the C2.[3]
Enterprise T1083 文件和目录发现

Tropic Trooper has monitored files' modified time.[3]

Enterprise T1078 .003 有效账户: Local Accounts

Tropic Trooper has used known administrator account credentials to execute the backdoor directly.[3]

Enterprise T1505 .003 服务器软件组件: Web Shell

Tropic Trooper has started a web service in the target host and wait for the adversary to connect, acting as a web shell.[3]

Enterprise T1106 本机API

Tropic Trooper has used multiple Windows APIs including HttpInitialize, HttpCreateHttpHandle, and HttpAddUrl.[3]
Enterprise T1221 模板注入

Tropic Trooper delivered malicious documents with the XLSX extension, typically used by OpenXML documents, but the file itself was actually an OLE (XLS) document.[2]
Enterprise T1027 .003 混淆文件或信息: Steganography

Tropic Trooper has used JPG files with encrypted payloads to mask their backdoor routines and evade detection.[3]
.013 混淆文件或信息: Encrypted/Encoded File

Tropic Trooper has encrypted configuration files.[1][3]
Enterprise T1204 .002 用户执行: Malicious File

Tropic Trooper has lured victims into executing malware via malicious e-mail attachments.[7]
Enterprise T1070 .004 移除指标: File Deletion

Tropic Trooper has deleted dropper files on an infected system using command scripts.[3]

Enterprise T1082 系统信息发现

Tropic Trooper has detected a target system’s OS version and system volume information.[8][3]
Enterprise T1033 系统所有者/用户发现

Tropic Trooper used letmein to scan for saved usernames on the target system.[8]
Enterprise T1049 系统网络连接发现

Tropic Trooper has tested if the localhost network is available and other connection capability on an infected system using command scripts.[3]

Enterprise T1016 系统网络配置发现

Tropic Trooper has used scripts to collect the host's network topology.[3]

Enterprise T1135 网络共享发现

Tropic Trooper used netview to scan target systems for shared resources.[8]
Enterprise T1046 网络服务发现

Tropic Trooper used pr and an openly available tool to scan for open ports on target systems.[8][3]
Enterprise T1119 自动化收集

Tropic Trooper has collected information automatically using the adversary's USBferry attack.[3]

Enterprise T1020 自动化渗出

Tropic Trooper has used a copy function to automatically exfiltrate sensitive data from air-gapped systems using USB storage.[3]

Enterprise T1518 软件发现

Tropic Trooper's backdoor could list the infected system's installed software.[3]
.001 Security Software Discovery

Tropic Trooper can search for anti-virus software running on the system.[2]
Enterprise T1105 输入工具传输

Tropic Trooper has used a delivered trojan to download additional files.[3]
Enterprise T1057 进程发现

Tropic Trooper is capable of enumerating the running processes on the system using pslist.[2][3]
Enterprise T1055 .001 进程注入: Dynamic-link Library Injection

Tropic Trooper has injected a DLL backdoor into dllhost.exe and svchost.exe.[1][3]
Enterprise T1091 通过可移动媒体复制

Tropic Trooper has attempted to transfer USBferry from an infected USB device by copying an Autorun function to the target machine.[3]
Enterprise T1052 .001 通过物理介质渗出: Exfiltration over USB

Tropic Trooper has exfiltrated data using USB storage devices.[3]

Enterprise T1566 .001 钓鱼: Spearphishing Attachment

Tropic Trooper sent spearphishing emails that contained malicious Microsoft Office and fake installer file attachments.[2][8][9][7][3]
Enterprise T1564 .001 隐藏伪装: Hidden Files and Directories

Tropic Trooper has created a hidden directory under C:\ProgramData\Apple\Updates\ and C:\Users\Public\Documents\Flash\.[1][3]

Software

ID Name References Techniques
S0190 BITSAdmin [1] BITS任务, 替代协议渗出: Exfiltration Over Unencrypted Non-C2 Protocol, 横向工具传输, 输入工具传输
S0387 KeyBoy [2][9] 从密码存储中获取凭证: Credentials from Web Browsers, 创建或修改系统进程: Windows Service, 启动或登录自动启动执行: Winlogon Helper DLL, 命令与脚本解释器: Python, 命令与脚本解释器: Visual Basic, 命令与脚本解释器: PowerShell, 命令与脚本解释器: Windows Command Shell, 屏幕捕获, 数据混淆: Protocol or Service Impersonation, 文件和目录发现, 混淆文件或信息: Encrypted/Encoded File, 移除指标: Timestomp, 系统信息发现, 系统网络配置发现, 输入工具传输, 输入捕获: Keylogging, 进程间通信: Dynamic Data Exchange, 隐藏伪装: Hidden Window
S0012 PoisonIvy [2] Rootkit, 从本地系统获取数据, 修改注册表, 创建或修改系统进程: Windows Service, 加密通道: Symmetric Cryptography, 启动或登录自动启动执行: Registry Run Keys / Startup Folder, 启动或登录自动启动执行: Active Setup, 命令与脚本解释器: Windows Command Shell, 应用窗口发现, 执行保护: Mutual Exclusion, 数据分段: Local Data Staging, 混淆文件或信息, 输入工具传输, 输入捕获: Keylogging, 进程注入: Dynamic-link Library Injection
S0596 ShadowPad [10] 修改注册表, 动态解析: Domain Generation Algorithms, 反混淆/解码文件或信息, 应用层协议: DNS, 应用层协议: File Transfer Protocols, 应用层协议: Web Protocols, 数据编码: Non-Standard Encoding, 混淆文件或信息: Fileless Storage, 混淆文件或信息, 移除指标, 系统信息发现, 系统所有者/用户发现, 系统时间发现, 系统网络配置发现, 输入工具传输, 进程发现, 进程注入, 进程注入: Dynamic-link Library Injection, 非应用层协议, 预定传输
S0452 USBferry [3] 从本地系统获取数据, 命令与脚本解释器: Windows Command Shell, 外围设备发现, 文件和目录发现, 系统二进制代理执行: Rundll32, 系统网络连接发现, 系统网络配置发现, 账号发现: Local Account, 进程发现, 远程系统发现, 通过可移动媒体复制
S0388 YAHOYAH [8] 反混淆/解码文件或信息, 应用层协议: Web Protocols, 混淆文件或信息: Encrypted/Encoded File, 系统信息发现, 软件发现: Security Software Discovery, 输入工具传输

References

  1. Horejsi, J., et al. (2018, March 14). Tropic Trooper’s New Strategy. Retrieved November 9, 2018.
  2. Ray, V. (2016, November 22). Tropic Trooper Targets Taiwanese Government and Fossil Fuel Provider With Poison Ivy. Retrieved November 9, 2018.
  3. Chen, J.. (2020, May 12). Tropic Trooper’s Back: USBferry Attack Targets Air gapped Environments. Retrieved May 20, 2020.
  4. Busselen, M. (2020, April 7). On-demand Webcast: CrowdStrike Experts on COVID-19 Cybersecurity Challenges and Recommendations. Retrieved May 20, 2020.
  5. Parys, B. (2017, February 11). The KeyBoys are back in town. Retrieved June 13, 2019.
  1. Hulcoop, A., et al. (2016, November 17). It’s Parliamentary KeyBoy and the targeting of the Tibetan Community. Retrieved June 13, 2019.
  2. Moore, S. et al. (2020, April 30). Anomali Suspects that China-Backed APT Pirate Panda May Be Seeking Access to Vietnam Government Data Center. Retrieved May 19, 2020.
  3. Alintanahin, K. (2015). Operation Tropic Trooper: Relying on Tried-and-Tested Flaws to Infiltrate Secret Keepers. Retrieved June 14, 2019.
  4. Alexander, G., et al. (2018, August 8). Familiar Feeling: A Malware Campaign Targeting the Tibetan Diaspora Resurfaces. Retrieved June 17, 2019.
  5. Insikt Group. (2021, February 28). China-Linked Group RedEcho Targets the Indian Power Sector Amid Heightened Border Tensions. Retrieved March 22, 2021.