Tropic Trooper

Tropic Trooper is an unaffiliated threat group that has led targeted campaigns against targets in Taiwan, the Philippines, and Hong Kong. Tropic Trooper focuses on targeting government, healthcare, transportation, and high-tech industries and has been active since 2011.[1][2]

ID: G0081
Associated Groups: KeyBoy
Contributors: Bart Parys
Version: 1.1

Associated Group Descriptions

Name Description
KeyBoy [2][1]

Techniques Used

Domain ID Name Use
Enterprise T1197 BITS Jobs Tropic Trooper has leveraged the BITSadmin command-line tool to create a job and launch a malicious process.[1]
Enterprise T1043 Commonly Used Port Tropic Trooper can use ports 443 and 53 for C2 communications via malware called TClient.[1]
Enterprise T1140 Deobfuscate/Decode Files or Information Tropic Trooper used shellcode with an XOR algorithm to decrypt a payload.[2]
Enterprise T1073 DLL Side-Loading Tropic Trooper has been known to side-load DLLs using a valid version of Windows Address Book executable with one of their tools.[3]
Enterprise T1203 Exploitation for Client Execution Tropic Trooper has executed commands through Microsoft security vulnerabilities, including CVE-2017-11882, CVE-2018-0802, and CVE-2012-0158.[1][2]
Enterprise T1158 Hidden Files and Directories Tropic Trooper has created a hidden directory under C:\ProgramData\Apple\Updates\.[1]
Enterprise T1046 Network Service Scanning Tropic Trooper used pr to scan for open ports on target systems.[4]
Enterprise T1135 Network Share Discovery Tropic Trooper used netview to scan target systems for shared resources.[4]
Enterprise T1050 New Service Tropic Trooper installs a service pointing to a malicious DLL dropped to disk.[5]
Enterprise T1027 Obfuscated Files or Information Tropic Trooper has encrypted configuration files.[1]
Enterprise T1057 Process Discovery Tropic Trooper enumerates the running processes on the system.[2]
Enterprise T1055 Process Injection Tropic Trooper has injected a DLL backdoor into a file dllhost.exe.[1]
Enterprise T1063 Security Software Discovery Tropic Trooper searches for anti-virus software running on the system.[2]
Enterprise T1193 Spearphishing Attachment Tropic Trooper sent spearphishing emails that contained malicious Microsoft Office attachments.[2][4][6]
Enterprise T1032 Standard Cryptographic Protocol Tropic Trooper uses SSL to connect to C2 servers.[1]
Enterprise T1082 System Information Discovery Tropic Trooper has detected a target system’s OS version.[4]
Enterprise T1033 System Owner/User Discovery Tropic Trooper used letmein to scan for saved usernames on the target system.[4]
Enterprise T1221 Template Injection Tropic Trooper delivered malicious documents with the XLSX extension, typically used by OpenXML documents, but the file itself was actually an OLE (XLS) document.[2]
Enterprise T1004 Winlogon Helper DLL Tropic Trooper creates the Registry key HKCU\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell and sets the value to establish persistence.[2]


ID Name References Techniques
S0387 KeyBoy [2] [6] Command-Line Interface, Commonly Used Port, Custom Cryptographic Protocol, Dynamic Data Exchange, Exploitation for Client Execution, File and Directory Discovery, Input Capture, New Service, Obfuscated Files or Information, PowerShell, Remote File Copy, Screen Capture, Scripting, System Information Discovery, System Network Configuration Discovery, Timestomp, Winlogon Helper DLL
S0012 PoisonIvy [2] Application Window Discovery, Command-Line Interface, Data from Local System, Data Staged, Input Capture, Modify Existing Service, Modify Registry, New Service, Obfuscated Files or Information, Process Injection, Registry Run Keys / Startup Folder, Remote File Copy, Rootkit, Standard Cryptographic Protocol, Uncommonly Used Port
S0388 Yahoyah [4] Deobfuscate/Decode Files or Information, Obfuscated Files or Information, Remote File Copy, Security Software Discovery, Standard Application Layer Protocol, System Information Discovery