Cyber Espionage Hackers From Tropic Trooper Are Targeting The Transportation Sector.

Trend Micro researchers Nick Dai, Ted Lee, and Vickie Su wrote in a report published last week,” The group attempted to access some internal documents (such as flight schedules and financial plan documents) as well as personal information on the compromised hosts (such as search histories).”

Since July 2020, the transportation industry and government agencies related to the sector have been the targets of a sophisticated and well-equipped cyber espionage group in what appears to be yet another uptick in malicious activities that are “just the tip of the iceberg.”

Earth Centaur also known as Pirate Panda and Tropic Trooper is a long-running threat group focused on information theft and espionage that has led targeted campaigns against Taiwanese government, healthcare, transportation and high-tech industries dating back to 2011.

The researchers reported that, “The group understands how to circumvent security settings and continue operating unhindered. The use of open-source frameworks also allows the group to efficiently develop new backdoor variants.”

In May 2020, the operators were seen fine-tuning their attack strategies with new behaviours by deploying a USB trojan dubbed USBFerry to attack physically isolated networks belonging to government institutions and military entities in Taiwan as well as the Philippines in an attempt to syphon sensitive data via removable flash drives.

Trend Micro’s most recent multi-stage intrusion sequence involves the group exploiting vulnerable Internet Information Services (IIS) servers and Exchange server flaws as entry points to install a web shell, which is then used to deliver a.NET-based Nerapack loader and a first-stage backdoor known as Quasar on the compromised system.

The attackers then drop an arsenal of second-stage implants such as ChiserClient, SmileSvr, ChiserClient, HTShell, and bespoke versions of Lilith RAT and Gh0st RAT depending on the victim to retrieve additional instructions from a remote server, download additional payloads, perform file operations, and execute arbitrary code.

Finally the researchers concluded that ,”The group is capable of mapping their target’s network infrastructure and circumventing firewalls . It employs backdoors with varying protocols that are deployed based on the victim. It can also create customised tools to avoid security monitoring in various environments and it exploits vulnerable websites and uses them as [command-and-control] servers.”

–-For more Cyber security news in crisp content . Please follow our site via twitter handle @cyberworkx1, Linkedin handle @linkedin

Indicator Of Compromise

Hashes

Loaders - Trojan.MSIL.NERAPACK
12425edb2c50eac79f06bf228cb2dd77bb1e847c4c4a2049c91e0c5b345df5f2
321febf2bc5603b58628e3a82fb063027bf175252a3b30869eccb90a78e59582
3ad24a438b9a67e4eff7ca7d34b06d5efc24b824e3e346488d534532faa619da
dd1afc083b7d82444fcec99e01e8293d51f744201cb968346ec334fb5dd32495
e488f0015f14a0eff4b756d10f252aa419bc960050a53cc04699d5cc8df86c8a
6b1b231a7d190651f8c89072e2514aade288dfe6bd87ea62171b6ecffe13d63e
e4a15537f767332a7ed08009f4e0c5a7b65e8cbd468eb81e3e20dc8dfc36aeed
a64e0c21494811ededf5d8af41b00937c1d5787d63dfcc399a7f32c19a553c99

Backdoors - Backdoor.Win64.CHISERCLIENT
ea2264f56ba315c4db49d06cce12365875502686f8f748570cb5a99cb213f008
182f07a00b93a00fae17b33fbfc25931afeddd80f075f241060b4338a49cd5cc
2167855743b9e488ce514c80f246fd5d0973a4296cb565f95517fa1dcfee8f74

Trojan.Win32.SMILESVRDRP
c6cac51035ef7df22c8ff3b5ba204721cdae97bc4728b0de68db1358c0c04035

Backdoor.Win32.SMILESVR
c6f17d39905d2006020c326c13bb514a66bccc5a42d533aade00e09456ca5dec
97e9bf8032e11bb618a77fbe92489e972b0c92e2e30b26f594f6129ee1cec987
507b0280105da31739159703e418e3d1b1e6e6817362bf69e2da3c0b305af605
819afbdc46b3b8f3e4b71e64c48df14ce886a273ce3c93d7a402f4760405b1a4

Backdoor.Win64.LILITH
b3c31192048576591a52bc025e82286d7d32429c2f0991e68d801555b2d74c65

Backdoor.Win32.GH0ST
996aa9c937b610efd1ab5c0ab173fc9fa78a70b423a193c3e2b505519bde7807
7e72ee1052b018250810e41ac01065ebd833293ecfc363415b7d19dd31734d49

Hacking tools
HackTool.MSIL.LOGKILLER
b914087ac90f8aa782ef4c22cee9c458f7bdfc3d37278327aa7e1442011f0e4a

HackTool.Win64.FRP
7ca64c811008e34b5dbb7538fa4bed84c1678ed9813e665071dc0ad0def5b74b

--------------------------------------------------------------------

C&C Servers

lastest[.]ctotw[.]tw:443
infos[.]friendship[.]tw:80
citilink[.]dsmtp[.]com:443
flight[.]goldentop[.]tw:80
cart[.]ns02[.]us
webadmin[.]mirrorstorage[.]org:443
api01[.]lflinkup[.]net:80
portal[.]blueraymax[.]com:80
ca[.]threatiy[.]com:443
cb[.]threatiy[.]com:8443
cc[.]threatiy[.]com:8080
193[.]42[.]40[.]126
157[.]119[.]234[.]100
158[.]247[.]199[.]191
45[.]77[.]214[.]244
195[.]123[.]221[.]7:8080