Tropic Trooper – Exploit Web Facing App

Tropic Trooper exploits vulnerabilities in public-facing web servers, such as Microsoft Exchange Server, to gain initial access to target networks. They leverage known vulnerabilities (like CVE-2023-26360) to establish a foothold and deploy web shells like “ByPassGodzilla” for further malicious activities.

Subject: Tropic Trooper – Exploit Web Facing App

Tactics: TA0001 Initial Access

Technique: T1190 Exploit Public-Facing Application

Procedure:

Tropic Trooper exploits vulnerabilities in public-facing web servers, such as Microsoft Exchange Server, to gain initial access to target networks. They leverage known vulnerabilities (like CVE-2023-26360) to establish a foothold and deploy web shells like “ByPassGodzilla” for further malicious activities.

Vulnerability: EAV0002 When adversaries interact with the environment or personas, they are vulnerable to collecting, or in some way interacting with, manipulated or decoy data. In those cases the data may increase their tolerance for imperfections in the environment and improve the overall believability of the ruse.

Engagement Opportunity:

Deploy a honeypot mimicking a vulnerable Microsoft Exchange Server. This can lure Tropic Trooper into interacting with the honeypot, allowing defenders to observe their TTPs, collect malware samples, and gather intelligence on their tools and infrastructure.

Threat Actor: Tropic Trooper (APT23), a Chinese state-sponsored cyber espionage group

Threat Objective:

Espionage and intelligence gathering in support of China’s geopolitical interests, primarily targeting government, healthcare, and military sectors in Southeast Asia.

Deception Opportunity:

Seed decoy documents within the honeypot containing fabricated but plausible government or military information. This can mislead Tropic Trooper, waste their resources, and potentially expose their intelligence requirements.

Sensor Data Placement: Application

Observable Level: Core to Adversary-Brought Tool

Scoring Rationale:

The honeypot will capture the specific tools and techniques used by Tropic Trooper, providing valuable insights into their capabilities. These observables are core to their current toolset but may change as they evolve their tactics.

Link to Report: https://socradar.io/dark-web-profile-tropic-trooper-apt23/

Link to Report II.:

Additional Comments:

Monitoring the honeypot and analyzing the collected data can help organizations proactively defend against Tropic Trooper’s evolving TTPs and strengthen their security posture.

Possible elements: Honeypot MS Exchange

MSG (Pseudocode):

Leave a Reply