A cyber campaign by a hacker group known as Tropic Trooper has been targeting undisclosed governmental bodies in the Middle East and Malaysia since June 2023.
“The observation of this group’s strategies within critical government organizations in the Middle East, particularly those involved in the analysis of human rights issues, signifies a new strategic direction for them,” mentioned Kaspersky’s cybersecurity expert Sherif Magdy in a report.
The Russian cybersecurity company identified the malicious activities in June 2024, after detecting a fresh version of the China Chopper web Shell on a public web server hosting the Umbraco open-source content management system (CMS).
The attack scheme aims to distribute a malware implant called Crowdoor, a variant of the SparrowDoor backdoor disclosed by ESET in September 2021. Nevertheless, these efforts were futile.
Tropic Trooper, also recognized as APT23, Earth Centaur, KeyBoy, and Pirate Panda, has a history of targeting government institutions, medical facilities, transportation services, and advanced technology sectors in Taiwan, Hong Kong, and the Philippines. This group of Chinese-speaking hackers has been operating since 2011, having close connections with another hacking entity identified as FamousSparrow.
This most recent incident emphasized by Kaspersky is notable for involving the China Chopper web shell as a .NET component of the Umbraco CMS, with subsequent misuse leading to the installation of tools for network reconnaissance, lateral motion, and evasion of defense mechanisms, before launching Crowdoor using DLL side-loading tactics.
It is suspected that the web shells are introduced by exploiting identified security flaws in openly accessible web applications like Adobe ColdFusion (CVE-2023-26360) and Microsoft Exchange Server (CVE-2021-34473, CVE-2021-34523, and CVE-2021-31207).
Crowdoor, initially spotted in June 2023, also serves as a loader to deploy Cobalt Strike and uphold presence on the compromised hosts, while also functioning as a backdoor to gather sensitive data, execute a reverse shell, erase other malicious files, and end its own operation.
“Upon realizing that their backdoors had been identified, the threat actors tried to upload fresh samples to avoid detection, hence escalating the chances of detecting their new set of samples shortly,” Magdy explained.
“The importance of this breach lies in the observation of a Chinese-speaking actor targeting a content management system that published reports on human rights in the Middle East, concentrating specifically on the circumstances around the Israel-Hamas conflict.”
“Our investigation of this breach disclosed that this specific content was the sole focus during the attack, showing a deliberate concentration on this particular theme.”
About Author
