Skip to main content

Tropic Trooper Cyber Espionage Hackers Targeting Transportation Sectors; Aerospace, Railways, Ships and Bus Companies.



 The transportation industry and government agencies related to the sector are the victims of an ongoing campaign since July 2020 by a sophisticated and well-equipped cyberespionage group in what appears to be yet another uptick in malicious activities that are "just the tip of the iceberg."


"The group tried to access some internal documents (such as flight schedules and documents for financial plans) and personal information on the compromised hosts (such as search histories)," Trend Micro researchers Nick Dai, Ted Lee, and Vickie Su said in a report published last week.


Earth Centaur, also known by the monikers Pirate Panda and Tropic Trooper, is a long-running threat group focused on information theft and espionage that has led targeted campaigns against government, healthcare, transportation, and high-tech industries in Taiwan, the Philippines, and Hong Kong dating all the way back to 2011.


The hostile agents, believed to be a Chinese-speaking actor, are known for their use of spear-phishing emails with weaponized attachments to exploit known vulnerabilities, while simultaneously advancing their malicious tools with obfuscation, stealthiness, and striking power.


"This threat group is proficient at red teamwork," the researchers elaborated. "The group knows how to bypass security settings and keep its operation unobstructive. The usage of the open-source frameworks also allows the group to develop new backdoor variants efficiently."


In May 2020, the operators were observed fine-tuning their attack strategies with new behaviors by deploying a USB trojan dubbed USBFerry to strike physically isolated networks belonging to government institutions and military entities in Taiwan and the Philippines in a bid to siphon sensitive data through removable flash drives.


The latest multi-stage intrusion sequence detailed by Trend Micro involves the group turning to exploit vulnerable Internet Information Services (IIS) servers and Exchange server flaws as entry points to install a web shell that's then leveraged to deliver a .NET-based Nerapack loader and a first-stage backdoor known as Quasar on the compromised system.


From there, the attackers follow it up by dropping an arsenal of second-stage implants like ChiserClient, SmileSvr, ChiserClient, HTShell, and bespoke versions of Lilith RAT and Gh0st RAT depending on the victim to retrieve further instructions from a remote server, download additional payloads, perform file operations, execute arbitrary commands, and exfiltrate results back to the server.


It doesn't end there. After successful exploitation of the system, Tropic Trooper also attempts to breach the intranet, dump credentials, and wipe out event logs from the infected machines using a specific set of tools. Also put to use is a command-line program called Rclone that enables the actor to copy harvested data to different cloud storage providers.


Prevent Data Breaches

"Currently, we have not discovered substantial damage to these victims as caused by the threat group," Trend Micro's analysts explained. "However, we believe that it will continue collecting internal information from the compromised victims and that it is simply waiting for an opportunity to use this data."


The findings are noteworthy because of the steps the advanced persistent threat (APT) takes to avoid detection and the critical nature of the targeted entities, not to mention the new capabilities developed for their malicious software to linger on infected hosts and avoid detection.


"The group can map their target's network infrastructure and bypass firewalls," the researchers said. "It uses backdoors with different protocols, which are deployed depending on the victim. It also has the capability to develop customized tools to evade security monitoring in different environments, and it exploits vulnerable websites and uses them as [command-and-control] servers."


#THN


#osutayusuf

Comments

Post a Comment

Popular posts from this blog

Vurra Constituency MP Adriko Yovan gets six months imprisonment for failing to repay loan.

📸: Hon Adriko Yovan. Story By Andrew Cohen Amvesi. ARUA . Yovan Adriko, the Vurra County Member of Parliament (MP) in Arua district has been committed to six months civil prison for failing to clear debts amounting to shs55,677,400. Adriko was on Thursday evening sent to Arua government prison to serve six months shortly after his arrest at Slumberland hotel in Arua City. MP Adriko warrant of committal judgement debtor to jail. Paul Mawa of T/A Vitality Associates, the court bailiff assigned to arrest the MP, duped him to come and pick some money for a land transaction at Slumberland hotel where he picked him like a baby after a long hunt. Adriko was immediately arraigned before Her Worship Karungi Leo, the Deputy Registrar of Arua High Court who later committed him to imprisonment not exceeding six months. Part of Adriko’s warrant of arrest issued b court Adriko was sent to the coolers for failing to clear shs48m which is the princip
1 comment
Read more

Arrested Arua City Officials Taken to Kampala this Night.

Wednesday 8-November-2023. 📸: The arrest of Arua City Physical Planner Mr Findru Moses on 6-Nov-2023 at around 2pm. 📸: Mr Jobile Cornelius the City Deputy town clerk who was arrested on 7-Nov-2023 at around 4pm. 📸: Mrs Lillian Aleni (in red cloth) and Mr Edoni Benard being handcuffed by police officer on 6-Nov-2023 at around 6pm. The bail that was to be issued last night 8pm 7-Nov-2023 to release the arrested City Deputy town clerk Mr Jobile Cornelius and CFO Mr Sam Adriko over mismanagement of government properties and monies was canceled, and by this time of the night 11pm, highly placed sources leaked that, all the arrested suspects (Mr Findru Moses the Arua City Physical Planner, Mr Jobile Cornelius the Deputy City clerk, Mr Adriko Sam the CFO, Mr Edoni Benard the PDM BOG Chairperson for Pangisa ward and Mrs Lillian Aleni the parish chief for Pangisa ward) are being transported by State House Anti-corruption Unit officers who will soon be reac
Post a Comment
Read more

Wedded Ayivu West MP Lematia John Fights Over Another Woman.

  📸: Hon Lematia John. By URN. Police in Arua district are investigating a case of assault and threatening violence involving the Member of Parliament for Ayivu West Constituency John Lematia and James Ariko, a DSTV technician in Arua city. Drama ensued on Easter Sunday 31-3-2024 at Dream Land Hotel located at Kuluva trading center along Arua-Nebbi highway in Arua district when the legislator and the technician engaged in a fight reportedly over a woman identified as Faith Eyotaru 25, a relationship officer at Victoria University Kampala. The scuffle started after Ayivu West Mp John Lematia went to swim at Dreamland Hotel with Faith Eyotaru only to find Ariko, who had gone to the same hotel earlier. However, upon seeing the duo coming out of the vehicle, Ariko confronted Lematia with both men claiming to be having a relationship with the lady. It took the intervention of the staff at the hotel who intervened and separated the fight between the men. Josephine Angucia, the West Nile re
Post a Comment
Read more