Tropic Trooper – Campaign

Tropic Trooper employs a multi-stage attack flow:

  1. Initial Access: Exploiting vulnerabilities in public-facing applications (like Microsoft Exchange Server) or through spearphishing emails with malicious attachments.
  2. Persistence: Establishing persistent access using web shells (like “ByPassGodzilla”) and malware (like “Yahoyah” and “ChinaChopper”).
  3. Privilege Escalation: Utilizing DLL side-loading and exploiting system services to gain higher privileges.
  4. Lateral Movement: Moving laterally within the network using SMB shares and remote services.
  5. Data Exfiltration: Exfiltrating data to cloud storage or using other automated methods.

Subject: Tropic Trooper – Campaign

Tactics: TA0009 Collection, TA0001 Initial Access, TA0008 Lateral Movement, TA0003 Persistence, TA0004 Privilege Escalation

Technique: T1020 Automated Exfiltration, T1543.003 Create or Modify System Process: Windows Service, T1567.002 Exfiltration Over Web Service: Exfiltration to Cloud Storage, T1190 Exploit Public-Facing Application, T1574.002 Hijack Execution Flow: DLL Side-Loading, T1566.001 Phishing: Spearphishing Attachment, T1021.002 Remote Services: SMB/Windows Admin Shares, T1505.003 Server Software Component: Web Shell

Procedure:

Tropic Trooper employs a multi-stage attack flow:

  1. Initial Access: Exploiting vulnerabilities in public-facing applications (like Microsoft Exchange Server) or through spearphishing emails with malicious attachments.
  2. Persistence: Establishing persistent access using web shells (like “ByPassGodzilla”) and malware (like “Yahoyah” and “ChinaChopper”).
  3. Privilege Escalation: Utilizing DLL side-loading and exploiting system services to gain higher privileges.
  4. Lateral Movement: Moving laterally within the network using SMB shares and remote services.
  5. Data Exfiltration: Exfiltrating data to cloud storage or using other automated methods.

Vulnerability: EAV0001 When adversaries interact with the environment or personas, they are vulnerable when they collect, observe, or manipulate system artifacts or information. Manipulated data may cause them to reveal behaviors, use additional or more advanced capabilities against the target, and/or impact their dwell time., EAV0002 When adversaries interact with the environment or personas, they are vulnerable to collecting, or in some way interacting with, manipulated or decoy data. In those cases the data may increase their tolerance for imperfections in the environment and improve the overall believability of the ruse.

Engagement Opportunity:

  • Deploy a multi-layered honeypot environment mimicking a vulnerable network with realistic data and services.
  • This environment should simulate various stages of the attack flow, allowing defenders to engage with Tropic Trooper at different points and gather intelligence on their tools and techniques.
  • Utilize reverse spearphishing to engage with known or suspected Tropic Trooper operatives.

Threat Actor: Tropic Trooper (APT23)

Threat Objective:

Espionage and intelligence gathering, primarily targeting government, healthcare, and military sectors in Southeast Asia.

Deception Opportunity:

  • Seed the honeypot environment with decoy documents and fabricated network traffic to mislead Tropic Trooper.
  • Create deceptive network pathways and fake data repositories to divert their attention and waste their resources.
  • Utilize deception technologies to dynamically adapt the environment based on Tropic Trooper’s actions, leading them towards dead ends and traps.

Sensor Data Placement: User-Mode

Observable Level: Core to Adversary-Brought Tool

Scoring Rationale:

  • User-Mode provides a balanced view: While Kernel-Mode offers the most reliable data, User-Mode still captures crucial events related to process execution, file system activity, and network connections. This is where the majority of Tropic Trooper’s TTPs manifest, including malware execution, command-and-control communication, and lateral movement.

  • Focusing on Adversary-Brought Tools is key: Tropic Trooper relies on specific malware and tools like “Yahoyah,” “ByPassGodzilla,” and “ChinaChopper.” These tools are core to their current operations and provide valuable indicators of their presence and activity. While these tools might evolve, tracking them offers a significant advantage in detection and response.

By focusing on User-Mode data and observables related to Tropic Trooper’s unique toolset, defenders can effectively monitor and analyze their activities across various stages of the attack flow. This approach allows for a more targeted and efficient analysis while still capturing a significant portion of their malicious behavior.

Link to Report: https://socradar.io/dark-web-profile-tropic-trooper-apt23/

Link to Report II.:

Additional Comments:

Analyzing the data collected from the honeypot environment can help organizations understand Tropic Trooper’s attack patterns, develop proactive defense strategies, and strengthen their overall security posture.

Possible elements:

MSG (Pseudocode):

Leave a Reply