GoKawiilBLACK HAT ASIA – Singapore – The China-linked advanced persistent threat (APT) known as Tropic Trooper appears to be changing up its tactics, techniques, and procedures (TTPs), with an odd spear-phishing effort that involved compromising a target's home Wi-Fi network.
Tropic Trooper (aka Pirate Panda, KeyBoy, APT23, Bronze Hobart, and Earth Centaur) has been active since at least 2011. The group historically spies on government, military, healthcare, transportation, and high‑tech organizations in Taiwan, the Philippines, and Hong Kong, with researchers recently also finding one singular campaign in the Mideast. But its latest efforts are aimed at specific individuals in new geographies like Japan, Taiwan, and South Korea, according to recent analysis, indicating an expansion of not just operational modus operandi, but also victim profiles.
According to threat researchers at Japan-based security firm Itochu Cyber & Intelligence, one of the hallmarks of the group is a penchant for using unconventional intrusion vectors, such as physically deploying fake Wi-Fi access points in targeted offices; it's also known for the rapid adoption of novel and open source malware, making it difficult for researchers to keep up with its evolution. That's held true in its most recent campaigns too, where Itochu and Zscaler investigations have uncovered a variety of creative approaches and new malware elements within its attack chain.
Related:Africa Relinquishes Cyberattack Lead to Latin America — For Now
Cyber Compromise via Home Wi-Fi Router
In a session this week at Black Hat Asia in Singapore entitled Tropic Trooper Reloaded: Unraveling the Invisible Supply Chain Mystery, Itochu researchers Suguru Ishimaru and Satoshi Kamekawa detailed a supply chain compromise in which malware was delivered through what seemed like ghostly activity; i.e., there was no indication of where it originated.
"We found a complex infection chain delivering a Cobalt Strike beacon that uses a watermark (520), which Tropic Trooper has used since 2024; so, it can be used as an identifier for the group's activity," explained Ishimaru, from the stage. "But it was a supply chain mystery — the victim appeared to have downloaded a legitimate executable (youdaodict.exe) to update a well-known dictionary app, and there were two very small files in the downloaded update, including a very suspicious .xml file [that was the source of the infection]. We were unsure though of how the update had been compromised in the first place."
A follow-up investigation indicated that unauthorized changes had been made to the target's home router, resulting in the malware infection.
Related:Russia's Forest Blizzard Nabs Rafts of Logins via SOHO Routers
"One year later, the same host was compromised again, with the same infection routine, so we resumed the investigation, and found there to be tampering with the DNS for the software update," Ishimaru explained. "There was the legitimate domain and executable, but the actual IP was changed. Where was the DNS hijacking happening? We traced it back to the victim's home router, which was compromised, and the DNS settings were overwritten to point to an attacker's server in an 'evil twin' attack."
... continue reading