Threat Research

“Tropic Trooper Monitors Middle Eastern Government Activities”

SecureList

Tropic Trooper, an APT actor active since 2011, has targeted a Middle East government entity in 2024, signaling a shift toward cyber espionage focused on human-rights content. The operation employed a new China Chopper web shell variant embedded in Umbraco CMS, along with post-exploitation tools and DLL search-order hijacking to load Crowdoor loaders. #TropicTrooper #ChinaChopper #Umbraco #Crowdoor #Fscan #Swor #MiddleEast #Malaysia

Keypoints

  • Group Activity: Tropic Trooper has been active since 2011, targeting government and high-tech sectors in Taiwan, the Philippines, and Hong Kong.
  • Recent Campaigns: In 2024, they targeted a Middle East government entity focusing on human rights studies.
  • Malware Detection: A new variant of the China Chopper web shell was detected on a public server hosting Umbraco CMS.
  • Post-Exploitation Tools: Multiple tools were identified, including Fscan for network scanning and Swor for lateral movement and privilege escalation.
  • DLL Hijacking: New DLL search-order hijacking techniques loaded malicious payloads, including Crowdoor loaders, via legitimate executables.
  • Attribution: The activity is attributed to Tropic Trooper with high confidence, showing overlaps with previous campaigns.
  • Motivation: The intrusion appears driven by cyber espionage, particularly targeting sensitive human rights content.

MITRE Techniques

  • [T1210] Web Shells – “Utilization of China Chopper web shell for remote access.”
  • [T1211] Post-Exploitation Tools – “Deployment of Fscan for network scanning.” and “Use of Swor for lateral movement and privilege escalation.”
  • [T1038] DLL Search Order Hijacking – “Loading malicious DLLs through legitimate executables.” and “Exploitation of vulnerable executables to execute payloads.”

Indicators of Compromise

  • [Hash] MD5 – 3f15c4431ad4573344ad56e8384ebd62, a213873eb55dc092ddf3adbeb242bd44 (webshells and loaders)
  • [Hash] SHA-1 – 311d1d50673fbfc40b84d94239cd4fa784269465
  • [Hash] SHA-256 – 8df9fa495892fc3d183917162746ef8fd9e438ff0d639264236db553b09629dc, 23dea3a74e3ff6a367754d02466db4c86ffda47efe09529d3aad52b0d5694b30
  • [File Name] App_Web_dentsd54.dll, datast.dll, datastate.dll, WinStore
  • [File Path] c:Windows brandingdata, c:UsersPublicMusicdata, c:sqltoolsattunitycdcoraclex641033
  • [Domain] techmersion[.]com
  • [IP] 51.195.37[.]155, 162.19.135[.]182
  • [URL] https://securelist.com/new-tropic-trooper-web-shell-infection/113737/

Read more: https://securelist.com/new-tropic-trooper-web-shell-infection/113737/

SHARE THIS STORY

WhatsAppX (Twitter)TelegramBlueskyFacebookLinkedInThreadsEmailPrint