[MART] - Daily Diary #536 - Tropic Trooper-Linked Group's New Campaign

CTAS-MAT ctas-mat at appgate.com
Wed Jun 22 23:10:13 UTC 2022


I hope everyone is doing well!

Below is the entry for today.

06/22/2022 - Diary entry #536:

Tropic Trooper, also known as KeyBoy, is a group active since at least 2015, that targets government, healthcare, transportation, and high-tech organizations from Taiwan, Philippines, and Hong Kong.

Today, a new campaign from a group with ties to Tropic Trooper was disclosed. In this new campaign, a specific loader named Nimbda was used by the threat actors to execute the final payload. Nimbda is written in Nim, a statically typed compiled programming language.

Nimbda injects and executes a shellcode into the notepad.exe process. Then, the shellcode gets an obfuscated IP address from a Github or Gitee (a Github-like Chinese version) to download a next-stage obfuscated executable known as Yahoyah - an improved version of Yahoyah backdoor/downloader used by Tropic Trooper.

Finally, the final payload deployed on the infection chain is the TClient. TClient is one of the many backdoors used by Tropic Trooper group discovered in 2018 that uses symmetric encryption to decrypt its configuration with one 16-byte key.

This new infection chain suggests that the attackers behind the campaign are possibly skilled threat actors. Using different programming languages to compile executables has the advantage of not being flagged as malicious by some antiviruses while it requires more creativity and skill from the malware developers.

Kind Regards,


[https://d3aafpijpsak2t.cloudfront.net/images/Signature/likedin@2x.png]<https://www.linkedin.com/company/appgate-security/>     [https://d3aafpijpsak2t.cloudfront.net/images/Signature/twitter@2x.png] <https://twitter.com/AppgateSecurity>   [https://d3aafpijpsak2t.cloudfront.net/images/Signature/youtube@2x.png] <https://www.youtube.com/channel/UC-8GvxcZbm-R3EJNl8jYjiQ>

Felipe Tarijon de Almeida
Malware Analyst

E: felipe.tarijon at appgate.com<mailto:felipe.tarijon at appgate.com>

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.immunityinc.com/pipermail/mart/attachments/20220622/de45692a/attachment.htm>

More information about the MART mailing list