Trend Micro Spots Chinese Hackers Targeting Transportation Sector
Since the middle of 2020, a Chinese state-sponsored threat actor called ‘Tropic Trooper’ has been targeting transportation organizations and government entities related to transportation sector, Trend Micro reports.
Also known as Earth Centaur and KeyBoy, the advanced persistent threat (APT) has been around since 2011, conducting espionage campaigns against organizations in government, healthcare, high-tech, and transportation sectors in Hong Kong, the Philippines, and Taiwan.
As part of the attacks conducted over the past year and a half, Trend Micro warned that the group attempted to access flight schedules, financial plans, and other internal documents at the target organizations, as well as any personal information available on the compromised hosts, including search histories.
Trend Micro’s monitoring of the group revealed red teamwork proficiency, as the adversary can easily bypass security settings, prevent its activities from becoming obstructive, and employ reverse proxies that are used to bypass network security systems.
The APT has also been observed using open-source frameworks, which allows it to easily come up with new backdoor variants, and likely employs the same tactics in attacks on other industries as well, the Trend Micro researchers explained.
Tropic Trooper uses a multi-stage infection process, in which Internet Information Services (IIS) and Microsoft Exchange vulnerabilities (including ProxyLogon) are exploited for intrusion. Next, the attackers install web shells and deploy the Nerapack .NET loader and the Quasar RAT as the first stage malware.
Different types of second-stage backdoors, including ChiserClient and SmileSvr, are deployed, based on the victim. The attackers then begin Active Directory (AD) discovery, leverage Server Message Block (SMB) to spread across the network, and attempt to harvest login credentials.
“We found that the threat group developed multiple backdoors capable of communication via common network protocols. We think this indicates that it has the capability to bypass network security systems by using these common protocols to transfer data. We also found that the group tries to launch various backdoors per victim,” Trend Micro said.
Based on commands received from the command and control (C&C) server, the employed backdoors can download files, write/read files, open command shells for command execution, upload files, list directories and files, and more. Based on the victim, backdoors that support different protocols are used.
“These threat actors are notably sophisticated and well-equipped. Looking deeper into the new methods the group uses, we found that it has an arsenal of tools capable of assessing and then compromising its targets while remaining under the radar,” Trend Micro added.