Tropic Trooper

Tropic Trooper is an unaffiliated threat group that has led targeted campaigns against targets in Taiwan, the Philippines, and Hong Kong. Tropic Trooper focuses on targeting government, healthcare, transportation, and high-tech industries and has been active since 2011.[1][2]

ID: G0081
Associated Groups: KeyBoy
Contributors: Edward Millington, Bart Parys
Version: 1.2

Associated Group Descriptions

Name Description
KeyBoy [2][1]

Techniques Used

Domain ID Name Use
Enterprise T1043 Commonly Used Port

Tropic Trooper can use ports 443 and 53 for C2 communications via malware called TClient.[1]

Enterprise T1140 Deobfuscate/Decode Files or Information

Tropic Trooper used shellcode with an XOR algorithm to decrypt a payload.[2]

Enterprise T1073 DLL Side-Loading

Tropic Trooper has been known to side-load DLLs using a valid version of Windows Address Book executable with one of their tools.[5]

Enterprise T1203 Exploitation for Client Execution

Tropic Trooper has executed commands through Microsoft security vulnerabilities, including CVE-2017-11882, CVE-2018-0802, and CVE-2012-0158.[1][2]

Enterprise T1158 Hidden Files and Directories

Tropic Trooper has created a hidden directory under C:\ProgramData\Apple\Updates\.[1]

Enterprise T1046 Network Service Scanning

Tropic Trooper used pr to scan for open ports on target systems.[3]

Enterprise T1135 Network Share Discovery

Tropic Trooper used netview to scan target systems for shared resources.[3]

Enterprise T1050 New Service

Tropic Trooper installs a service pointing to a malicious DLL dropped to disk.[6]

Enterprise T1027 Obfuscated Files or Information

Tropic Trooper has encrypted configuration files.[1]

Enterprise T1057 Process Discovery

Tropic Trooper enumerates the running processes on the system.[2]

Enterprise T1055 Process Injection

Tropic Trooper has injected a DLL backdoor into a file dllhost.exe.[1]

Enterprise T1063 Security Software Discovery

Tropic Trooper searches for anti-virus software running on the system.[2]

Enterprise T1193 Spearphishing Attachment

Tropic Trooper sent spearphishing emails that contained malicious Microsoft Office attachments.[2][3][4]

Enterprise T1032 Standard Cryptographic Protocol

Tropic Trooper uses SSL to connect to C2 servers.[1]

Enterprise T1082 System Information Discovery

Tropic Trooper has detected a target system’s OS version.[3]

Enterprise T1033 System Owner/User Discovery

Tropic Trooper used letmein to scan for saved usernames on the target system.[3]

Enterprise T1221 Template Injection

Tropic Trooper delivered malicious documents with the XLSX extension, typically used by OpenXML documents, but the file itself was actually an OLE (XLS) document.[2]

Enterprise T1004 Winlogon Helper DLL

Tropic Trooper creates the Registry key HKCU\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell and sets the value to establish persistence.[2]

Software

ID Name References Techniques
S0190 BITSAdmin [1] BITS Jobs, Exfiltration Over Alternative Protocol, Remote File Copy
S0387 KeyBoy [2] [4] Command-Line Interface, Commonly Used Port, Credentials from Web Browsers, Custom Cryptographic Protocol, Dynamic Data Exchange, Exploitation for Client Execution, File and Directory Discovery, Hidden Window, Input Capture, New Service, Obfuscated Files or Information, PowerShell, Remote File Copy, Screen Capture, Scripting, System Information Discovery, System Network Configuration Discovery, Timestomp, Winlogon Helper DLL
S0012 PoisonIvy [2] Application Window Discovery, Command-Line Interface, Data from Local System, Data Staged, Input Capture, Modify Existing Service, Modify Registry, New Service, Obfuscated Files or Information, Process Injection, Registry Run Keys / Startup Folder, Remote File Copy, Rootkit, Standard Cryptographic Protocol, Uncommonly Used Port
S0388 Yahoyah [3] Deobfuscate/Decode Files or Information, Obfuscated Files or Information, Remote File Copy, Security Software Discovery, Standard Application Layer Protocol, System Information Discovery

References