Chinese-Speaking Hacker Group Targets Human Rights Studies in Middle East

Avatar
Unnamed government entities in the Middle East and Malaysia are the target of a persistent cyber campaign orchestrated by a threat actor known as Tropic Trooper since June 2023. “Sighting this group’s [Tactics, Techniques, and Procedures] in critical governmental entities in the Middle East, particularly those related to human rights studies, marks a new strategic move for them,” Kaspersky

Unnamed government entities in the Middle East and Malaysia are the target of a persistent cyber campaign orchestrated by a threat actor known as Tropic Trooper since June 2023.

“Sighting this group’s [Tactics, Techniques, and Procedures] in critical governmental entities in the Middle East, particularly those related to human rights studies, marks a new strategic move for them,” Kaspersky security researcher Sherif Magdy said.

The Russian cybersecurity vendor said it detected the activity in June 2024 upon discovering a new version of the China Chopper web Shell, a tool shared by many Chinese-speaking threat actors for remote access to compromised servers, on a public web server hosting an open-source content management system (CMS) called Umbraco.

The attack chain is designed to deliver a malware implant named Crowdoor, a variant of the SparrowDoor backdoor documented by ESET back in September 2021. The efforts were ultimately unsuccessful.

Tropic Trooper, also known by the names APT23, Earth Centaur, KeyBoy, and Pirate Panda, is known for its targeting of government, healthcare, transportation, and high-tech industries in Taiwan, Hong Kong, and the Philippines. The Chinese-speaking collective has been assessed to be active since 2011, sharing close ties with another intrusion set tracked as FamousSparrow.

The latest intrusion highlighted by Kaspersky is significant for compiling the China Chopper web shell as a .NET module of Umbraco CMS, with follow-on exploitation leading to the deployment of tools for network scanning, lateral movement, and defense evasion, before launching Crowdoor using DLL side-loading techniques.

It’s suspected that the web shells are delivered by exploiting known security vulnerabilities in publicly accessible web applications, such as Adobe ColdFusion (CVE-2023-26360) and Microsoft Exchange Server (CVE-2021-34473, CVE-2021-34523, and CVE-2021-31207).

Crowdoor, first observed in June 2023, also functions as a loader to drop Cobalt Strike and maintain persistence on the infected hosts, while also acting as a backdoor to harvest sensitive information, launch a reverse shell, erase other malware files, and terminate itself.

“When the actor became aware that their backdoors were detected, they tried to upload newer samples to evade detection, thereby increasing the risk of their new set of samples being detected in the near future,” Magdy noted.

“The significance of this intrusion lies in the sighting of a Chinese-speaking actor targeting a content management platform that published studies on human rights in the Middle East, specifically focusing on the situation around the Israel-Hamas conflict.”

“Our analysis of this intrusion revealed that this entire system was the sole target during the attack, indicating a deliberate focus on this specific content.”

Found this article interesting? Follow us on Twitter and LinkedIn to read more exclusive content we post.

 The Hacker News 

Total
0
Shares
Previous Post

Veeam Releases Security Updates to Fix 18 Flaws, Including 5 Critical Issues

Next Post

Ransomware hackers threaten Montana branch of Planned Parenthood

Related Posts

New Android Banking Malware ‘ToxicPanda’ Targets Users with Fraudulent Money Transfers

Over 1,500 Android devices have been infected by a new strain of Android banking malware called ToxicPanda that allows threat actors to conduct fraudulent banking transactions. "ToxicPanda's main goal is to initiate money transfers from compromised devices via account takeover (ATO) using a well-known technique called on-device fraud (ODF)," Cleafy researchers Michele Roviello, Alessandro Strino
Avatar
Read More

Mozilla Faces Privacy Complaint for Enabling Tracking in Firefox Without User Consent

Vienna-based privacy non-profit noyb (short for None Of Your Business) has filed a complaint with the Austrian data protection authority (DPA) against Firefox maker Mozilla for enabling a new feature called Privacy Preserving Attribution (PPA) without explicitly seeking users' consent. "Contrary to its reassuring name, this technology allows Firefox to track user behavior on websites," noyb said
Avatar
Read More