HQ/EMEAFind out how we can help your business
Tropic Trooper, a well-known Chinese-speaking cyber espionage gang, has been found to target governments in Malaysia and the Middle East, with a particular emphasis on human rights organisations. This ongoing cyber campaign, which began in June 2023, represents a strategic change for Tropic Trooper, which is now focusing on important governmental sectors handling delicate human rights matters, especially those pertaining to the conflict between Israel and Hamas.
The organisation has been active since 2011 and is well-known for attacking the government, healthcare, transportation, and high-tech industries throughout Taiwan, Hong Kong, and the Philippines. They are also known by other names, including APT23, Earth Centaur, KeyBoy, and Pirate Panda. But as it moves into Middle Eastern geopolitics, this most recent effort marks a major uptick in its activities.
Tropic Trooper used a new China Chopper web shell on an Umbraco CMS server to remotely access compromised systems.
In June 2024, the group’s online activity was discovered. In order to execute their attacks, Tropic Trooper set up a fresh instance of the China Chopper web shell on a public server that was hosting the open-source content management system (CMS) Umbraco. Threat actors who speak Chinese frequently utilise China Chopper as a method to access compromised servers remotely.
The malware implant known as Crowdoor, a variation of the previously identified SparrowDoor backdoor, was designed to be delivered by the group’s assault chain. Beyond basic backdoor functions, Crowdoor may also be used as a loader for the Cobalt Strike penetration testing tool, which allows it to continue to have permanent access to compromised networks. In order to evade detection, it also enables the attackers to gather private information, use a reverse shell, and eliminate further malware artefacts.
This analysis revealed that the attackers likely exploited known vulnerabilities in widely used software, including Adobe ColdFusion and Microsoft Exchange Server, to deploy their web shells. These vulnerabilities have been publicly documented (CVE-2023-26360, CVE-2021-34473, CVE-2021-34523, and CVE-2021-31207), making the systems an accessible target for those familiar with them.
Significantly, this effort is targeted in addition to using sophisticated tactics like DLL side-loading. Attackers may have purposefully targeted content pertaining to delicate geopolitical concerns in the Middle East by focusing their efforts on a particular content management platform that featured human rights studies.
The fact that the hackers tried to upload updated versions of their malware after it was discovered shows that they are constantly changing their strategies to get around security controls. Governmental and human rights organisations in the area are seriously threatened by the actions of Tropic Trooper, given its well-established history and expanding reach.
