Tropic Trooper’s Shift: Middle East Governments Now in the Crosshairs
Kaspersky GReAT experts have discovered that the APT group Tropic Trooper intensified its attacks in 2024, targeting government entities in the Middle East. Tropic Trooper, also known as KeyBoy and Pirate Panda, has been active since 2011, previously focusing on government and high-tech organizations in Taiwan, the Philippines, and Hong Kong. However, new research revealed that since June 2023, the group has persistently targeted a government institution involved in human rights advocacy.
The first activity was recorded in June 2024 when security systems detected new versions of the China Chopper web shell on a public web server running the Umbraco content management system based on C#. This web shell is frequently employed by cybercriminals for remote server control, and its presence on government servers raised serious concerns.
Following the discovery of the web shell, experts uncovered additional malicious software related to the attack. Among them were post-exploitation tools designed for network scanning, security evasion, and lateral movement across the network. One of the key findings was the identification of malicious loaders exploiting DLL search-order hijacking vulnerabilities to infiltrate victims’ systems. These loaders activated more dangerous software, named Crowdoor.
Notably, the first version of the Crowdoor loader was blocked, forcing the hackers to adapt their methods and shift to a new, previously unknown version. Despite this, experts confidently attributed the attack to Tropic Trooper, based on the alignment of methods, tools, and code with previous campaigns by the group.
How the Attack Unfolded
The primary target of the attack was the Umbraco content management system. The initial malicious web shell, embedded in one of Umbraco’s modules, was used to execute commands sent through the management system’s controller. The hackers compiled the shell as a .NET module for Umbraco CMS, allowing them to covertly issue commands through the content management system.
After successfully deploying the web shell, the attackers began uploading additional malware to the compromised server. These included network scanning tools like Fscan and Swor, as well as open proxy tools designed to bypass network security measures.
The hackers exploited vulnerabilities CVE-2021-34473, CVE-2021-34523, and CVE-2021-31207 in Microsoft Exchange, as well as CVE-2023-26360 in Adobe ColdFusion. These unpatched vulnerabilities on the servers enabled the attackers to infiltrate systems and establish a foothold using web shells.
Motives and Attack Methods
Tropic Trooper is known for its extensive use of open-source tools developed by Chinese specialists. For instance, Fscan—a vulnerability scanning utility—is widely employed by hackers to gather information about victims’ internal networks and identify security weaknesses. In one of the scripts found on the compromised server, the hackers used the ICMP command to check the availability of machines within the network.
Another critical tool, Swor, is widely used to conduct attacks with Mimicatz and other utilities that enable remote system access. These tools have been previously employed in attacks on government institutions in Malaysia, confirming Tropic Trooper’s overarching objective—breaching government entities and stealing sensitive data.
A distinctive feature of the group’s work is the use of encrypted web shells, hidden from detection systems through the ByPassGodzilla packer. This software is used to obfuscate malicious code, significantly complicating its detection.
Technical Aspects
One of Tropic Trooper’s key techniques involves loading malicious DLL files through vulnerable legitimate executables. In this case, the hackers used two files, datast.dll and VERSION.dll, which loaded malicious code into the system. These files were injected into legitimate processes such as msiexec.exe, after which the next stage of malicious code was executed.
The discovery of these DLL files allowed investigators to link the attack to Tropic Trooper’s operations, thanks to the similarity of techniques and the use of the same RC4 key for data encryption. This key had already been employed in the group’s previous attacks, further confirming their involvement in the current incident.
Consequences and Objectives of the Attacks
What stands out most is that the main target of the attack was content related to human rights research published on the compromised platform. Given that much of the content focused on the conflict between Israel and Hamas, it is plausible that the attack’s primary goal was to gain access to information on this topic.
This new strategic focus of Tropic Trooper opens additional avenues for analyzing their motivations and objectives. The group’s focus on government entities dealing with human rights suggests a desire to access politically sensitive data on the international stage.
As the investigation into this incident continues, cybersecurity specialists are uncovering new malware samples and updates to the hackers’ tools. This is providing deeper insight into Tropic Trooper’s methods and helping to anticipate their future actions.
