Tropic Trooper spies on government entities in the Middle East

Sept. 5, 2024, 4:17 p.m.

Description

Tropic Trooper, a Chinese-speaking APT group active since 2011, has expanded its operations to target government entities in the Middle East. The group deployed a new variant of the China Chopper web shell on a compromised Umbraco CMS server, along with other post-exploitation tools and backdoor implants. The attackers used DLL search-order hijacking to load malicious payloads, including a loader called Crowdoor. The campaign focused on cyber espionage, targeting systems related to human rights studies in the region. This marks a strategic shift for Tropic Trooper, previously known for targeting Southeast Asian countries.

External References

https://securelist.com/new-tropic-trooper-web-shell-infection/113737/
https://otx.alienvault.com/pulse/66d9d425653bc60992e5539b
Tags
fscan
china chopper
2024-09-05
web shell
swor
bypassgodzilla
crowdoor
umbraco cms
neo-regeorg

Date

  • Created: Sept. 5, 2024, 3:54 p.m.
  • Published: Sept. 5, 2024, 3:54 p.m.
  • Modified: Sept. 5, 2024, 4:17 p.m.

Indicators

  • 9ba6c63e29b26174e52a519c1afe7a4401e65485fd6ce6a2d574d910dd1d8d22
  • 23dea3a74e3ff6a367754d02466db4c86ffda47efe09529d3aad52b0d5694b30
  • 8df9fa495892fc3d183917162746ef8fd9e438ff0d639264236db553b09629dc
  • 51.195.37.155
  • 162.19.135.182
  • blog.techmersion.com
  • techmersion.com
Download all indicators here!

Attack Patterns

  • China Chopper
  • ByPassGodzilla
  • Neo-reGeorg
  • Swor
  • Crowdoor
  • Tropic Trooper
  • T1505.003
  • T1589
  • T1543.003
  • T1588.002
  • T1059.003
  • T1059.001
  • T1547.001
  • T1574.001
  • T1021
  • T1016
  • T1082
  • T1057
  • T1105
  • T1083
  • T1055
  • T1036
  • T1033
  • T1027
  • T1566

Additional Informations

  • Government
  • Malaysia