Chinese APT Tropic Trooper target air-gapped military Networks in Asia

Chinese threat actors, tracked as Tropic Trooper and KeyBoy, has been targeting air-gapped military networks in Taiwan and the Philippines.

Chinese APT group Tropic Trooper, aka KeyBoy, has been targeting air-gapped military networks in Taiwan and the Philippines, Trend Micro researchers reported.

The Tropic Trooper APT that has been active at least since 2011, it was first spotted in 2015 by security experts at Trend Micro when it targeted government ministries and heavy industries in Taiwan and the military in the Philippines.

The threat actor targeted government offices, military, healthcare, transportation, and high-tech industries in Taiwan, the Philippines, and Hong Kong.

Since December 2014, the threat actors are using a malware dubbed USBferry in attacks against military/navy agencies, government institutions, military hospitals, and also a national bank.

“Recently, we discovered the Tropic Trooper group targeting Taiwanese and the Philippine military’s physically isolated environment using a USBferry attack (the name derived from a sample found in a related research).” reads the analysis published by Trend Micro. “USBferry has variants that perform different commands depending on specific targets; it can also combine capabilities, improve its stealth in infected environments, and steal critical information through USB storage”

The USBferry USB malware could execute various commands on specific the infected system and allow to exfiltrate sensitive data through USB storage.

According to Trend Micro’s telemetry, attacks that employ USBferry attack are ongoing since December 2014 and has been targeting military or government users located in Asia.

The malware was first mentioned in a PwC report that attributes it to Tropic Trooper APT, but that did not include a detailed analysis.

The attackers would first target organizations related to military or government that implements fewer security measures compared with the real targets, then they attempt to use them as a proxy to the final target. In one case, the hackers compromised a military hospital and used it to move to the military’s physically isolated network.

Trend Micro researchers identified at least three versions of the malware with different variants and components.”

“Tropic Trooper uses the old way of achieving infection: by ferrying the installer into an air-gapped host machine via USB.” continues the report. “They employ the USB worm infection strategy using the USB device to carry the malware into the target’s computer and facilitate a breach into the secure network environment.”

The group used “tracert” and “ping” commands to map the target’s network
architecture (i.e. “tracert -h 8 8.8.8.8” collects the route (path) and measures transit delays of packets across an Internet Protocol (IP) network, while pings allow testing the target network’s connectivity).

The attackers attempted to determine if the infected machine has access to the internal network and the target mail portal.

In the absence of network connectivity, the malware collects information from the machine and copy the data to the USB drive.

The experts also discovered that the hackers use different backdoors in a recent attack, including WelCome To Svchost, Welcome To IDShell, and Hey! Welcome Server.

The arsenal of the APT group includes scanning tools, a command-line remote control listener/port relay tool, and backdoor payload/steganography payload execution loaders.

“This targeted attack operation can be broken down into four important points.” concludes the report. “First, putting critical data in physically isolated networks is not an overarching solution for preventing cyberespionage activities. Second, their preferred technique of steganography isn’t just used to deliver payloads, but also for sending information back to the C&C server. Third, several hacking tools and components can be used to fulfill attacks in different target networks and environments. These tools and components also have a selfdelete command to make it tricky to trace the attack chain and all the related factors. Lastly, using an invisible web shell hides their C&C server location and makes detecting malicious traffic more difficult for network protection products“

[adrotate banner=”9″]

[adrotate banner=”12″]

Pierluigi Paganini

(SecurityAffairs – Tropic Trooper, hacking)

[adrotate banner=”5″]

[adrotate banner=”13″]