Tropic Trooper

Tropic Trooper is an unaffiliated threat group that has led targeted campaigns against targets in Taiwan, the Philippines, and Hong Kong. Tropic Trooper focuses on targeting government, healthcare, transportation, and high-tech industries and has been active since 2011.[1][2]

ID: G0081
Version: 1.0

Associated Group Descriptions

NameDescription
KeyBoy[2]

Techniques Used

DomainIDNameUse
EnterpriseT1197BITS JobsTropic Trooper has leveraged the BITSadmin command-line tool to create a job and launch a malicious process.[1]
EnterpriseT1043Commonly Used PortTropic Trooper can use ports 443 and 53 for C2 communications via malware called TClient.[1]
EnterpriseT1140Deobfuscate/Decode Files or InformationTropic Trooper used shellcode with an XOR algorithm to decrypt a payload.[2]
EnterpriseT1203Exploitation for Client ExecutionTropic Trooper has executed commands through Microsoft security flaws, including CVE-2017-11882, CVE-2018-0802, and CVE-2012-0158.[1][2]
EnterpriseT1158Hidden Files and DirectoriesTropic Trooper has created a hidden directory under C:\ProgramData\Apple\Updates\.[1]
EnterpriseT1027Obfuscated Files or InformationTropic Trooper has encrypted configuration files.[1]
EnterpriseT1057Process DiscoveryTropic Trooper enumerates the running processes on the system.[2]
EnterpriseT1055Process InjectionTropic Trooper has injected a DLL backdoor into a file dllhost.exe.[1]
EnterpriseT1063Security Software DiscoveryTropic Trooper searches for anti-virus software running on the system.[2]
EnterpriseT1193Spearphishing AttachmentTropic Trooper sent spearphishing emails that contained malicious Microsoft Office attachments.[2]
EnterpriseT1032Standard Cryptographic ProtocolTropic Trooper uses SSL to connect to C2 servers.[1]
EnterpriseT1221Template InjectionTropic Trooper delivered malicious documents with the XLSX extension, typically used by OpenXML documents, but the file itself was actually an OLE (XLS) document.[2]
EnterpriseT1004Winlogon Helper DLLTropic Trooper creates the Registry key HKCU\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell and sets the value to establish persistence.[2]

Software

IDNameReferencesTechniques
S0012PoisonIvy[2]Application Window Discovery, Command-Line Interface, Data from Local System, Data Staged, Input Capture, Modify Existing Service, Modify Registry, New Service, Obfuscated Files or Information, Process Injection, Registry Run Keys / Startup Folder, Remote File Copy, Rootkit, Standard Cryptographic Protocol, Uncommonly Used Port

References