Unnamed government entities in the Middle East and Malaysia are being targeted by an ongoing cyber campaign from June 2023 by an attacker known as Tropic Trooper.
“The detection of this group (tactics, methods and procedures) in critical government structures in the Middle East, especially those involved in the study of human rights, represents a new strategic move for them,” – Sherif Magdi, Kaspersky security researcher. said.
A Russian cybersecurity vendor said it detected activity in June 2024 after discovering a new version of the China Chopper web shell, a tool used by many Chinese-speaking threat actors to remotely access compromised servers, on a public web server hosting an open source system content management system (CMS) called Umbraco.
The attack chain is designed to deliver a malware implant called Crowdoorvariant of Art Sparrow door backdoor documented by ESET back in September 2021. Efforts were ultimately unsuccessful.
Tropic Trooper, also known as APT23, Earth Centaur, KeyBoy and Pirate Panda, of course for his own targeting government, healthcare, transportation and high-tech industries in Taiwan, Hong Kong and the Philippines. The Chinese-language group was estimated to have been active since 2011, sharing close ties with another intrusion group tracked as FamousSparrow.
The latest intrusion noted by Kaspersky is for the compilation of the China Chopper web shell as a .NET module for the Umbraco CMS, with further exploits leading to the deployment of network scanning tools, lateral movement and pre-Crowdoor protection evasion using the Sideloading Method DLL.
Webshells are suspected to be delivered by exploiting known security vulnerabilities in public web applications such as Adobe ColdFusion (CVE-2023-26360) and Microsoft Exchange Server (CVE-2021-34473, CVE-2021-34523and CVE-2021-31207).
Crowdoor, first spotted in June 2023, also functions as a bootloader to dump Cobalt Strike and maintain resilience on infected hosts, and acts as a backdoor to collect sensitive information, launch a reverse shell, remove other malware files, and self-close.
“When the actor became aware that their backdoor was discovered, they attempted to upload new samples to avoid detection, thereby increasing the risk of their new set of samples being discovered in the near future,” Maddy noted.
“The significance of this intrusion is that the Chinese-speaking actor targeted a content management platform that published research on human rights in the Middle East, particularly focusing on the situation surrounding the conflict between Israel and Hamas.”
“Our analysis of this intrusion showed that this entire system was the only target during the attack, indicating a deliberate focus on this particular content.”
