Unnamed government entities in the Middle East and Malaysia are the target of a persistent cyber campaign orchestrated by a threat actor known as Tropic Trooper since June 2023.
“Sighting this group’s [Tactics, Techniques, and Procedures] in critical governmental entities in the Middle East, particularly those related to human rights studies, marks a new strategic move for them,” Kaspersky security researcher Sherif Magdy said.
The Russian cybersecurity vendor said it detected the activity in June 2024 upon discovering a new version of the China Chopper web Shell, a tool shared by many Chinese-speaking threat actors for remote access to compromised servers, on a public web server hosting an open-source content management system (CMS) called Umbraco.
The attack chain is designed to deliver a malware implant named Crowdoor, a variant of the SparrowDoor backdoor documented by ESET back in September 2021. The efforts were ultimately unsuccessful.
Tropic Trooper, also known by the names APT23, Earth Centaur, KeyBoy, and Pirate Panda, is known for its targeting of government, healthcare, transportation, and high-tech industries in Taiwan, Hong Kong, and the Philippines. The Chinese-speaking collective has been assessed to be active since 2011, sharing close ties with another intrusion set tracked as FamousSparrow.
The latest intrusion highlighted by Kaspersky is significant for compiling the China Chopper web shell as a .NET module of Umbraco CMS, with follow-on exploitation leading to the deployment of tools for network scanning, lateral movement, and defense evasion, before launching Crowdoor using DLL side-loading techniques.
It’s suspected that the web shells are delivered by exploiting known security vulnerabilities in publicly accessible web applications, such as Adobe ColdFusion (CVE-2023-26360) and Microsoft Exchange Server (CVE-2021-34473, CVE-2021-34523, and CVE-2021-31207).
Crowdoor, first observed in June 2023, also functions as a loader to drop Cobalt Strike and maintain persistence on the infected hosts, while also acting as a backdoor to harvest sensitive information, launch a reverse shell, erase other malware files, and terminate itself.
“When the actor became aware that their backdoors were detected, they tried to upload newer samples to evade detection, thereby increasing the risk of their new set of samples being detected in the near future,” Magdy noted.
“The significance of this intrusion lies in the sighting of a Chinese-speaking actor targeting a content management platform that published studies on human rights in the Middle East, specifically focusing on the situation around the Israel-Hamas conflict.”
“Our analysis of this intrusion revealed that this entire system was the sole target during the attack, indicating a deliberate focus on this specific content.”