Unnamed government entities in the Middle East and Malaysia are under a cyber campaign since June 2023 by a threat actor known as Tropic Trooper.
“Noticing this group’s Tactics, Techniques, and Procedures in key governmental organizations in the Middle East, especially those dealing with human rights studies, signifies a new strategic move for them,” mentioned Kaspersky security researcher Sherif Magdy stated.
The detection of the activity by the Russian cybersecurity vendor was in June 2024 when they identified a new version of the China Chopper web Shell, a tool used by many Chinese-speaking threat actors for remote access to compromised servers, on a public web server hosting an open-source content management system (CMS) called Umbraco.
The attack sequence is set to deploy a malware implant named Crowdoor, a variant of the SparrowDoor backdoor disclosed by ESET in September 2021. However, the attempts were not successful.
Tropic Trooper, also known as APT23, Earth Centaur, KeyBoy, and Pirate Panda, is recognized for its focus on government, healthcare, transportation, and high-tech sectors in Taiwan, Hong Kong, and the Philippines. This Chinese-speaking group has been active since 2011, closely connected to another intrusion set identified as FamousSparrow.
The recent intrusion highlighted by Kaspersky has merged the China Chopper web shell as a .NET module of Umbraco CMS, with subsequent exploitation leading to the use of tools for various actions before activating Crowdoor with DLL side-loading techniques.
It is suspected that the web shells are delivered by exploiting known security vulnerabilities in publicly accessible web applications like Adobe ColdFusion (CVE-2023-26360) and Microsoft Exchange Server (CVE-2021-34473, CVE-2021-34523, and CVE-2021-31207).
Crowdoor, identified in June 2023, also acts as a loader to introduce Cobalt Strike and maintain control on the infected systems, while also serving as a backdoor to gather confidential data, initiate a reverse shell, delete other malware files, and self-terminate.
“When the actor realized that their backdoors were detected, they attempted to upload new samples to avoid detection, thus raising the risk of their new samples being identified in the near future,” as mentioned by Magdy.
“The importance of this intrusion lies in the observation of a Chinese-speaking actor targeting a content management platform that published studies on human rights in the Middle East, particularly focusing on the Israel-Hamas conflict situation.”
“Our analysis of this intrusion revealed that the entire system was the sole target during the attack, indicating a deliberate focus on this specific content.”
