According to Trend Micro, a suspected threat actor operating outside of China has targeted physically isolated military networks in Taiwan and the Philippines.
As Tropic Trooper and KeyBoy, and active since 2011, he is known for his attacks on the government, army, healthcare, transportation and high-tech industries in Taiwan, the Philippines and Hong Kong.
Previously, a group focused on victims with letters with malicious attachments to exploit known vulnerabilities, such as CVE-2017-0199.
Trend Micro reports that since December 2014, cybercriminals have been using malware called USBferry to defeat organizations such as military/tax authorities, government agencies, military hospitals, and even a national bank.
USBferry is a discrete malware that can execute various commands on specific objects and is designed to steal critical data from a USB stick.
To ensure the success of their attacks, hackers primarily target organizations associated with military or government agencies that use a less reliable security system and use it as a gateway for their attacks. In one case, the group compromised a military hospital and used it to penetrate a physically isolated military network.
USBferry was originally mentioned in the PricewaterhouseCoopers 2017 report, but without any technical analysis. Trend Micro’s malware research has found at least three versions, each with different options and components.
The actions of malware on compromised systems vary from environment to environment: It can execute commands, copy source destination files or folder lists and files from compromised computers to compromised hosts.
The group reaches the infection by using a USB worm infection strategy and sending the malware installer via USB to an airborne host machine, Trend Micro explains.
The malware checks the network connection and, if it cannot find it, continues to collect information on the computer and copies the data to a USB stick.
Security researchers also discovered that hackers used several backdoors in a recent incident, including WelCome To Svchost (first release 2011), Welcome To IDShell and Hey! Welcome to the server.
Other tools hackers have used in their attacks include an external command line/port relay listening device, a back door/start-up device to perform steganographic operations, and port scanning tools available on the Internet.
The group also observed the use of steganography to hide backdoors and bypass malware detection and network perimeter. This method was used to send information to the command server in addition to the delivery of the cargo.
Tropic Trooper seems to have been focused on airborne environments for the past six years; in particular, the group prefers to tackle military and national banks as the first points of attack. Some military and government agencies may find it difficult to maintain adequate security controls; protection may be compromised, making the response to incidents more complex, Trend Micro said.
That’s what it looks like: KeyBoy exploits popular office exploits to spread malware
That’s what it looks like: Different Chinese groups use the same RTF instrument.
Ionat Argir is the international correspondent for Security Week.
Previous chronicles of Ionat Argir: