Who is Tropic Trooper (APT23)?

Discover how one of the most elusive Chinese state-sponsored groups, Tropic Trooper, impacts critical sectors across East Asia.

--

Active since 2011, Tropic Trooper, also known as Pirate Panda and APT 23, is a cyber espionage group tied to Chinese state-sponsored operations. This group, also operating under names like Iron, KeyBoy, Bronze Hobart, and Earth Centaur, focuses on intelligence gathering for strategic advantage. It typically targets government bodies, healthcare sectors, and technological entities, particularly in Taiwan, Hong Kong, and the Philippines. Tropic Trooper’s operations often align with China’s geopolitical objectives, leveraging advanced malware and social engineering techniques to infiltrate sensitive networks.

Initial Access: What Methods Does Tropic Trooper Use?

Tropic Trooper primarily gains entry through carefully crafted spear-phishing campaigns, employing social engineering techniques to deceive targets. Their emails often include malicious attachments like Microsoft Office files or embedded links that lead to sites hosting exploit kits. Using vulnerabilities in widely used applications, such as Microsoft Office, Tropic Trooper manages to implant malware, securing a foothold within the target’s system.

Beyond phishing, the group also exploits web server vulnerabilities, including Exchange Server, and deploys malicious modules on open-source platforms like Umbraco CMS to establish unauthorized access points.

Point of entry, a malicious doc

Notable Tools Used for Initial Access:

  • Fscan: Scans for vulnerabilities, open ports, and accessible services.
  • Swor: Aids in initial access through tools like Mimikatz and FRP, enhancing Tropic Trooper’s penetration capabilities.

How Does Tropic Trooper Achieve Persistence?

Following entry, Tropic Trooper deploys sophisticated malware designed for long-term access. Tools like TClient and Yahoyah ChinaChopper allow them to retain control over compromised systems, systematically encrypting and transferring sensitive data back to their servers. These tools are periodically updated to evade detection, enabling Tropic Trooper to maintain their presence within networks for extended durations.

Key Tools for Persistence:

  • ChinaChopper: A compact yet potent web shell enabling consistent access.
  • YAHOYAH: Encrypts its payload to avoid detection, reloading as necessary.
  • PoisonIvy: Ensures continued access by modifying system autostart processes.

How Does Tropic Trooper Escalate Privileges?

Once established, Tropic Trooper actively seeks to escalate privileges to gain administrative access, allowing for deeper network control. They use vulnerabilities in popular software or specific exploits based on the target’s system configuration to bypass security restrictions. For example, they’ve been known to use DLL search-order hijacking, which places malicious DLLs alongside legitimate applications, granting high-level access.

Privilege Escalation Tools:

  • ShadowPad: Utilizes DLL injection to bypass security protocols, granting elevated access.

What Methods Do They Use for Lateral Movement?

After achieving privileged access, Tropic Trooper maps the network, identifying accessible systems and vulnerabilities to expand its reach. They leverage tools that enable them to pivot within the network, allowing them to access additional resources even if portions of their operations are detected.

Tools for Lateral Movement:

  • Neo-reGeorg: A SOCKS5 proxy tool enabling network pivoting.
  • FRPC (Fast Reverse Proxy Client): Aids in lateral movement by creating secure connections across firewalls.
  • Chisel: Facilitates tunneling for unrestricted data movement within compromised networks.

What is Their Data Exfiltration Strategy?

The ultimate objective of Tropic Trooper’s operations is data exfiltration. They systematically identify high-priority information, such as government records, healthcare data, and military communications. They use techniques to compress, encrypt, and stealthily transfer this data to remote command-and-control servers. This data extraction process is carefully staged to avoid detection and supports their long-term espionage goals.

Tools for Data Exfiltration:

  • SharpHound: Maps Active Directory to identify valuable assets.
  • USBferry: Spreads across devices connected via removable media.
  • RClone: Transfers data to and from cloud storage.
  • BITSAdmin: Utilizes BITS jobs to transfer data through alternative channels, bypassing standard detection methods.

How Have Tropic Trooper’s Tactics Evolved?

Reports by TrendMicro and Kaspersky have highlighted Tropic Trooper’s evolution. Between 2021 and 2024, they expanded operations to include sectors such as transportation and human rights organizations across Southeast Asia and the Middle East. In 2024, the group introduced a new backdoor, “Crowdoor,” for delivering Cobalt Strike payloads, refining their persistence and data-gathering capabilities. The group’s evolving approach mirrors red-teaming techniques, enabling more sophisticated infiltration and data extraction methods.

Who Are the Primary Targets of Tropic Trooper?

Government Agencies

Government institutions remain a central target, and attacks aim to obtain information relevant to political, economic, and defense strategies.

Healthcare Organizations

Tropic Trooper also targets healthcare networks, collecting personal and medical records. This data serves both geopolitical and strategic objectives.

Military Networks

Tropic Trooper gains access to defense strategies, troop movements, and other sensitive intelligence by infiltrating military infrastructure, directly benefiting China’s strategic interests.

How Can Organizations Defend Against Tropic Trooper?

To counter Tropic Trooper’s sophisticated tactics, organizations should establish comprehensive cybersecurity protocols:

  1. Enhanced Email Security: Implement advanced filtering and educate employees on identifying phishing.
  2. Access Control and Privileged Account Management: Limit privileges and use Multi-Factor Authentication (MFA) to restrict unauthorized access.
  3. Network Segmentation: Contains intrusions by isolating different network segments.
  4. Endpoint Detection and Response (EDR): Use EDR tools to monitor unusual endpoint activity and detect custom malware.
  5. Regular Patch Management: Update software frequently to address exploitable vulnerabilities.
  6. Network Monitoring and Intrusion Detection: Implement continuous monitoring to detect unusual traffic patterns.
  7. Incident Response and Cyber Threat Intelligence: Prepare tailored incident response plans for APTs and stay updated on Tropic Trooper’s techniques through CTI resources.

SOCRadar’s Extended Cyber Threat Intelligence (XTI) supports organizations in tracking and combating threat actors like Tropic Trooper, offering advanced tools and real-time data.

SOCRadar’s Operational Intelligence/Threat Actor Intelligence

Tropic Trooper, also known as Pirate Panda and APT 23, is a sophisticated and adaptable threat persistently targeting critical sectors in East Asia. Their expertise in advanced malware, spear-phishing, and privilege escalation aligns them with China’s geopolitical interests, making them a significant player in the global cyber threat landscape. Adopting proactive cybersecurity measures is crucial for organizations in sensitive industries to guard against this state-sponsored group.

Originally published on socradar.io, November 1, 2024: https://socradar.io/dark-web-profile-tropic-trooper-apt23/

--

--

No responses yet