Chinese-Speaking Cyber Group Targets Studies on Human Rights in Middle East
The focus of a continuous cyber campaign since June 2023 by a cyber group named Tropic Trooper has been on undisclosed governmental bodies in the Middle East and Malaysia.
Kaspersky researcher Sherif Magdy stated, “The sighting of this organization’s [Methods, Approaches, and Strategies] within crucial governmental establishments in the Middle East, especially those connected to research on civil liberties, denotes a fresh tactical maneuver for them.”
Upon identifying a new variation of the China Chopper web Shell in June 2024, Russian cybersecurity firm detected the campaign, hosted on a public web server using an open-source content management system (CMS) named Umbraco.
The attack method was structured to implant a malware titled Crowdoor, a variant of the SparrowDoor backdoor previously detailed by ESET in September 2021. Unfortunately, these attempts were not successful.
Famous for targeting government, healthcare, transportation, and technology sectors in Taiwan, Hong Kong, and the Philippines, Tropic Trooper, also known as APT23, Earth Centaur, KeyBoy, and Pirate Panda, has been active since 2011 and shares a close relationship with another infiltration group known as FamousSparrow.
The latest breach highlighted by Kaspersky was notable for its use of the China Chopper web shell integrated as a .NET module of the Umbraco CMS, followed by exploitation to execute tools for network scanning, lateral movement, and evading defenses before delivering Crowdoor using DLL side-loading strategies.
The deployment of web shells is suspected to exploit known security vulnerabilities in public-facing web apps like Adobe ColdFusion (CVE-2023-26360) and Microsoft Exchange Server (CVE-2021-34473, CVE-2021-34523, and CVE-2021-31207).
Crowdoor, identified initially in June 2023, not only serves as a loader to deploy Cobalt Strike and establish persistence on compromised devices but also acts as a backdoor to collect sensitive data, initiate a reverse shell, delete other malicious files, and self-destruct.
“Upon realizing that their backdoors were detected, the threat actors attempted to upload newer samples to avoid detection, thereby heightening the chances of their new set of samples being discovered in the near future,” Magdy observed.
“The importance of this breach is in the identification of a Chinese-speaking actor targeting a platform that publishes studies on civil liberties in the Middle East, specifically concentrating on the situation surrounding the Israel-Hamas conflict.”
“Our investigation into this incident unveiled that the entire system was the sole focus during the assault, indicating a deliberate emphasis on this particular content.”
About Author
