{ "Event": { "analysis": "1", "date": "2024-09-05", "extends_uuid": "", "info": "[Threat Intel] Tropic Trooper spies on government entities in the Middle East", "protected": false, "publish_timestamp": "1780039377", "published": true, "threat_level_id": "1", "timestamp": "1780039377", "uuid": "a9c8d390-6524-4a0e-b05b-6d1a8b6d0082", "Orgc": { "name": "Rectifyq", "uuid": "cd9bd516-61fa-476b-980f-2f8de03992d4" }, "Tag": [ { "colour": "#1ebce4", "local": false, "name": "misp-galaxy:producer=\"Kaspersky\"", "relationship_type": "" }, { "colour": "#ffffff", "local": false, "name": "tlp:clear", "relationship_type": "" }, { "colour": "#004646", "local": false, "name": "type:OSINT", "relationship_type": "" }, { "colour": "#3000b9", "local": false, "name": "rectifyq:workflow=\"enrichment\"", "relationship_type": "" }, { "colour": "#b94b1d", "local": false, "name": "rectifyq:mitre-att&ck=\"none-from-src\"", "relationship_type": "" }, { "colour": "#b94b1d", "local": false, "name": "rectifyq:mitre-att&ck=\"self-curated\"", "relationship_type": "" }, { "colour": "#e7d48a", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"System Owner/User Discovery - T1033\"", "relationship_type": "" }, { "colour": "#5c57c8", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Windows Service - T1543.003\"", "relationship_type": "" }, { "colour": "#e72d65", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"DLL Search Order Hijacking - T1574.001\"", "relationship_type": "" }, { "colour": "#7d7034", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"System Information Discovery - T1082\"", "relationship_type": "" }, { "colour": "#75ec20", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Masquerading - T1036\"", "relationship_type": "" }, { "colour": "#43c8db", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Process Injection - T1055\"", "relationship_type": "" }, { "colour": "#65d24c", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Gather Victim Identity Information - T1589\"", "relationship_type": "" }, { "colour": "#682cad", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Remote Services - T1021\"", "relationship_type": "" }, { "colour": "#fe1ef0", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Web Shell - T1505.003\"", "relationship_type": "" }, { "colour": "#9f6bd9", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"System Network Configuration Discovery - T1016\"", "relationship_type": "" }, { "colour": "#0c0051", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"File and Directory Discovery - T1083\"", "relationship_type": "" }, { "colour": "#62f4c1", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Process Discovery - T1057\"", "relationship_type": "" }, { "colour": "#755c09", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"PowerShell - T1059.001\"", "relationship_type": "" }, { "colour": "#b76d96", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Registry Run Keys / Startup Folder - T1547.001\"", "relationship_type": "" }, { "colour": "#6fe7f4", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Tool - T1588.002\"", "relationship_type": "" }, { "colour": "#1b95cd", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Phishing - T1566\"", "relationship_type": "" }, { "colour": "#e08bb2", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Obfuscated Files or Information - T1027\"", "relationship_type": "" }, { "colour": "#02475d", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Windows Command Shell - T1059.003\"", "relationship_type": "" }, { "colour": "#4c0fbb", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Ingress Tool Transfer - T1105\"", "relationship_type": "" }, { "colour": "#915448", "local": false, "name": "misp-galaxy:target-information=\"Malaysia\"", "relationship_type": "" }, { "colour": "#0088cc", "local": false, "name": "misp-galaxy:threat-actor=\"APT23\"", "relationship_type": "" }, { "colour": "#0088cc", "local": false, "name": "misp-galaxy:region=\"145 - Western Asia\"", "relationship_type": "" }, { "colour": "#0088cc", "local": false, "name": "misp-galaxy:sector=\"Government, Administration\"", "relationship_type": "" }, { "colour": "#49a260", "local": false, "name": "rectifyq:category=\"threat\"", "relationship_type": "" }, { "colour": "#130049", "local": false, "name": "rectifyq:sub-category=\"campaign-analysis\"", "relationship_type": "" }, { "colour": "#d92121", "local": false, "name": "rectifyq:target=\"targeted\"", "relationship_type": "" }, { "colour": "#dd2e44", "local": false, "name": "rectifyq:MY-relevancy=\"relevant\"", "relationship_type": "" }, { "colour": "#3500ca", "local": false, "name": "rectifyq:detection-rules=\"yara-from-src\"", "relationship_type": "" }, { "colour": "#0088cc", "local": false, "name": "misp-galaxy:mitre-malware=\"China Chopper - S0020\"", "relationship_type": "" }, { "colour": "#0088cc", "local": false, "name": "misp-galaxy:malpedia=\"SparrowDoor\"", "relationship_type": "" }, { "colour": "#f1dfed", "local": false, "name": "rectifyq:TA-category=\"APT\"", "relationship_type": "" } ], "Attribute": [ { "category": "External analysis", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1736660183", "to_ids": false, "type": "link", "uuid": "ef985bb7-b087-4e17-bcc3-1a2e9f7190a4", "value": "https://securelist.com/new-tropic-trooper-web-shell-infection/113737/" }, { "category": "Other", "comment": "Description", "deleted": false, "disable_correlation": false, "timestamp": "1736660183", "to_ids": false, "type": "text", "uuid": "4edaa62c-9e6e-4441-9337-0db379b4fdfc", "value": "Tropic Trooper, a Chinese-speaking APT group active since 2011, has expanded its operations to target government entities in the Middle East. The group deployed a new variant of the China Chopper web shell on a compromised Umbraco CMS server, along with other post-exploitation tools and backdoor implants. The attackers used DLL search-order hijacking to load malicious payloads, including a loader called Crowdoor. The campaign focused on cyber espionage, targeting systems related to human rights studies in the region. This marks a strategic shift for Tropic Trooper, previously known for targeting Southeast Asian countries." }, { "category": "Other", "comment": "Summary", "deleted": false, "disable_correlation": false, "timestamp": "1736660183", "to_ids": false, "type": "text", "uuid": "eeb9c12e-7230-4408-a012-d871dcb6c34f", "value": "Name: Tropic Trooper spies on government entities in the Middle East\nAuthor: AlienVault\nAdversary: Tropic Trooper\nTags: [\"swor\", \"bypassgodzilla\", \"crowdoor\", \"china chopper\", \"umbraco cms\", \"web shell\", \"neo-regeorg\", \"fscan\"]\nTgtd countries: [\"Malaysia\"]\nMlwr families: [\"Crowdoor\", \"Swor\", \"Neo-reGeorg\", \"ByPassGodzilla\", \"China Chopper\"]\nAttack_ids: [\"T1033\", \"T1543.003\", \"T1574.001\", \"T1082\", \"T1036\", \"T1055\", \"T1589\", \"T1021\", \"T1505.003\", \"T1016\", \"T1083\", \"T1057\", \"T1059.001\", \"T1547.001\", \"T1588.002\", \"T1566\", \"T1027\", \"T1059.003\", \"T1105\"]\nIndustries: [\"Government\"]" }, { "category": "Attribution", "comment": "Adversary", "deleted": false, "disable_correlation": false, "timestamp": "1736660183", "to_ids": false, "type": "threat-actor", "uuid": "9881d900-3ac5-4a35-bc8d-adba6e2804ab", "value": "Tropic Trooper" }, { "category": "Artifacts dropped", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1736660183", "to_ids": true, "type": "yara", "uuid": "83935a35-aeea-4788-a5d9-6c80a403fc9e", "value": "c944e49a476b7a2b50e4f2b3ac681e08d118f8fe" }, { "category": "Network activity", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1736660183", "to_ids": true, "type": "domain", "uuid": "06c906ea-a1d1-4507-aa9d-539ee4c56ac3", "value": "techmersion.com" }, { "category": "Network activity", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1736660184", "to_ids": true, "type": "hostname", "uuid": "31a7e4aa-dfee-4f54-923f-535fb6e24db6", "value": "blog.techmersion.com" }, { "category": "Payload delivery", "comment": "Umbraco Webshell", "deleted": false, "disable_correlation": false, "timestamp": "1746152068", "to_ids": true, "type": "md5", "uuid": "713d15f0-8bf1-4aed-9473-d6bdc3b3d94e", "value": "3f15c4431ad4573344ad56e8384ebd62" }, { "category": "Payload delivery", "comment": "Umbraco Webshell", "deleted": false, "disable_correlation": false, "timestamp": "1746152068", "to_ids": true, "type": "md5", "uuid": "e7115ae0-a596-47bc-bf67-c450acd6df7e", "value": "78b47dda664545542ed3abe17400c354" }, { "category": "Payload delivery", "comment": "Umbraco Webshell", "deleted": false, "disable_correlation": false, "timestamp": "1746152068", "to_ids": true, "type": "md5", "uuid": "e9bbb31b-a9b1-49bf-8626-6f8b570b2c8e", "value": "3b7721715b2842cdff0ab72bd605a0ce" }, { "category": "Payload delivery", "comment": "Umbraco Webshell", "deleted": false, "disable_correlation": false, "timestamp": "1746152068", "to_ids": true, "type": "md5", "uuid": "6215efca-fe4f-4836-90b4-33054336810a", "value": "868b8a5012e0eb9a48d2daf7cb7a5d87" }, { "category": "Payload delivery", "comment": "Post-Exploitation Tool", "deleted": false, "disable_correlation": false, "timestamp": "1746152079", "to_ids": true, "type": "md5", "uuid": "589ca382-2e59-48ca-b102-201b46a6b4c4", "value": "149a9e24dbe347c4af2de8d135aa4b76" }, { "category": "Payload delivery", "comment": "Post-Exploitation Tool", "deleted": false, "disable_correlation": false, "timestamp": "1746152079", "to_ids": true, "type": "md5", "uuid": "c21e5fbf-5bc6-4441-9eb4-73d3f56ce231", "value": "103e4c2e4ee558d130c8b59bfd66b4fb" }, { "category": "Payload delivery", "comment": "Post-Exploitation Tool", "deleted": false, "disable_correlation": false, "timestamp": "1746152079", "to_ids": true, "type": "md5", "uuid": "b6378b37-67d9-4cea-8b20-c97a026feba8", "value": "e0d9215f64805e0bff03f4dc796fe52e" }, { "category": "Payload delivery", "comment": "Post-Exploitation Tool", "deleted": false, "disable_correlation": false, "timestamp": "1746152079", "to_ids": true, "type": "md5", "uuid": "1b76498c-6143-42e8-bb65-6e83c09af901", "value": "27c558bd42744cddc9edb3fa597d0510" }, { "category": "Payload delivery", "comment": "Post-Exploitation Tool", "deleted": false, "disable_correlation": false, "timestamp": "1746152079", "to_ids": true, "type": "md5", "uuid": "aa42fd89-2e9c-4195-baa8-493b6c8f9210", "value": "4f950683f333f5ed779d70eb38cdadcf" }, { "category": "Payload delivery", "comment": "Tropic Trooper Loader", "deleted": false, "disable_correlation": false, "timestamp": "1746152089", "to_ids": true, "type": "md5", "uuid": "ea232415-3b4c-4918-9471-c246c598bacd", "value": "fd8382efb0a16225896d584da56c182c" }, { "category": "Payload delivery", "comment": "Tropic Trooper Loader", "deleted": false, "disable_correlation": false, "timestamp": "1746152089", "to_ids": true, "type": "md5", "uuid": "d2d1dff9-8cad-423b-98d3-8becdce756bf", "value": "1dd03936baf0fe95b7e5b54a9dd4a577" }, { "category": "Payload delivery", "comment": "Tropic Trooper Loader", "deleted": false, "disable_correlation": false, "timestamp": "1746152089", "to_ids": true, "type": "md5", "uuid": "2ecce372-5f30-406e-9d7a-a7249ec6ac4c", "value": "8a900f742d0e3cd3898f37dbc3d6e054" }, { "category": "Payload delivery", "comment": "Tropic Trooper Loader", "deleted": false, "disable_correlation": false, "timestamp": "1746152089", "to_ids": true, "type": "md5", "uuid": "915c27d5-96a8-4c67-b7e4-058105a335ec", "value": "a213873eb55dc092ddf3adbeb242bd44" }, { "category": "Payload delivery", "comment": "Tropic Trooper Loader", "deleted": false, "disable_correlation": false, "timestamp": "1746152089", "to_ids": true, "type": "md5", "uuid": "4a9a961d-0c30-4a46-b711-72696843794b", "value": "dd7593e9ba80502505c958b9bbbf2838" }, { "category": "Payload delivery", "comment": "Tropic Trooper Loader", "deleted": false, "disable_correlation": false, "timestamp": "1746152089", "to_ids": true, "type": "md5", "uuid": "f4b39b03-9d5e-4b01-a648-1cde4675d6c7", "value": "2c7ebd103514018bad223f25026d4db3" }, { "category": "Payload delivery", "comment": "Tropic Trooper Loader", "deleted": false, "disable_correlation": false, "timestamp": "1746152089", "to_ids": true, "type": "md5", "uuid": "78b74f5e-0793-4a2c-9b94-41fdcb4a3c63", "value": "0b9ae998423a207f021f8e61b93bc849" }, { "category": "Payload delivery", "comment": "Tropic Trooper Loader", "deleted": false, "disable_correlation": false, "timestamp": "1746152089", "to_ids": true, "type": "md5", "uuid": "3b1936e4-1f3a-4d63-b851-06bf0a039911", "value": "e845563ba35e8d227152165b0c3e769f" }, { "category": "Network activity", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1780039375", "to_ids": true, "type": "ip-dst", "uuid": "6a1d30fc-51f5-4fd7-a1d9-389d3f5b5533", "value": "51.195.37.155", "Tag": [ { "colour": "#21ca95", "local": false, "name": "asn:asn=\"16276\"", "relationship_type": "" }, { "colour": "#983aa5", "local": false, "name": "asn:as-owner=\"OVH\"", "relationship_type": "" }, { "colour": "#93736f", "local": false, "name": "asn:as-country=\"FR\"", "relationship_type": "" }, { "colour": "#f6cea1", "local": false, "name": "misp-galaxy:country=\"france\"", "relationship_type": "" } ] }, { "category": "Network activity", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1780039377", "to_ids": true, "type": "ip-dst", "uuid": "6f89454e-e4be-4c35-96d8-e5540dbbcf61", "value": "162.19.135.182", "Tag": [ { "colour": "#21ca95", "local": false, "name": "asn:asn=\"16276\"", "relationship_type": "" }, { "colour": "#983aa5", "local": false, "name": "asn:as-owner=\"OVH\"", "relationship_type": "" }, { "colour": "#93736f", "local": false, "name": "asn:as-country=\"FR\"", "relationship_type": "" }, { "colour": "#f6cea1", "local": false, "name": "misp-galaxy:country=\"france\"", "relationship_type": "" } ] }, { "category": "Other", "comment": "hardcoded RC4 key", "deleted": false, "disable_correlation": false, "timestamp": "1746152212", "to_ids": false, "type": "text", "uuid": "4752b018-c0d3-405c-8f04-dbeb9bf50805", "value": "fYTUdr643$3u" } ], "Object": [ { "comment": "", "deleted": false, "description": "An object describing a YARA rule (or a YARA rule name) along with its version.", "meta-category": "misc", "name": "yara", "template_uuid": "b5acf82e-ecca-4868-82fe-9dbdf4d808c3", "template_version": "6", "timestamp": "1746152115", "uuid": "9d1bee72-8a66-4042-ac2b-a2cd53146a28", "Attribute": [ { "category": "Other", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "comment", "timestamp": "1746152115", "to_ids": false, "type": "comment", "uuid": "2dc7d946-03fc-4b03-8464-db9c4df65330", "value": "Rule to detect Tropic Trooper Umbraco webshells .NET sample" }, { "category": "Payload installation", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "yara", "timestamp": "1746152115", "to_ids": true, "type": "yara", "uuid": "417a76a7-45da-4497-aa9e-136bc8c17f6b", "value": "rule tropictrooper_umbraco_compiled_webshells {\r\nmeta:\r\n\tdescription = \"Rule to detect Tropic Trooper Umbraco webshells .NET sample\"\r\n\tauthor = \"Kaspersky\"\r\n\tcopyright = \"Kaspersky\"\r\n\tdistribution = \"DISTRIBUTION IS FORBIDDEN. DO NOT UPLOAD TO ANY MULTISCANNER OR SHARE ON ANY THREAT INTEL PLATFORM\"\r\n\tsample = \"3f15c4431ad4573344ad56e8384ebd62\"\r\n \r\nstrings:\r\n\t$s1 = { 72 ?? ?? ?? ?? 28 ?? ?? ?? ?? 6F ?? ?? ?? ?? A2 25 1F 0A 72 ?? ?? ?? ?? A2 25 1F 0B 72 ?? ?? ?? ?? A2 25 1F 0C 72 ?? ?? ?? ?? A2 25 1F 0D 72 ?? ?? ?? ?? A2 25 1F 0E 72 ?? ?? ?? ?? A2 25 1F 0F 72 ?? ?? ?? ?? A2 25 1F 10 72 ?? ?? ?? ?? A2 25 1F 11 72 ?? ?? ?? ?? A2 25 1F 12 72 ?? ?? ?? ?? A2 25 1F 13 72 ?? ?? ?? ?? A2 25 1F 14 72 ?? ?? ?? ?? A2 25 1F 15 72 ?? ?? ?? ?? A2 25 1F 16 72 ?? ?? ?? ?? A2 25 1F 17 72 ?? ?? ?? ?? A2 25 1F 18 72 ?? ?? ?? ?? A2 }\r\n \r\ncondition:\r\n\t$s1 and \r\n\tfilesize < 1MB\r\n}" }, { "category": "Other", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "yara-rule-name", "timestamp": "1746152115", "to_ids": false, "type": "text", "uuid": "f563620a-2c12-468c-ac92-47fcc6134ea7", "value": "tropictrooper_umbraco_compiled_webshells" } ] } ] } }