Major government sectors and corporations in both Taiwan and the Philippines have become the latest targets in an ongoing attack campaign in the Asia Pacific region. The threat actors behind Operation Tropic Trooper—we named specifically for its choice of targets—aim to steal highly classified information from several Taiwanese government ministries and heavy industries as well as the Philippine military.
Throughout March to May 2015, our researchers noted that 62% of the Tropic Trooper-related malware infections targeted Taiwanese organizations while the remaining 38% zoned in on Philippine entities. Although the identities and motivations of the actors behind the campaign have yet to be identified, we have found that the command-and-control (C&C) servers used in this campaign were located in four countries: Taiwan (43% of the servers), USA (36%), Hong Kong (14%) and the UAE (7%).
Though attacks like these are not new, what our researchers have uncovered are critical security gaps the targeted organizations have yet to fill.
Operation Tropic Trooper Overview
Operation Tropic Trooper has been active since 2012, but our researchers have found that the malware attackers used share characteristics with samples we first examined in 2011. The same characteristics were also seen in 2013 when users in India and Vietnam were targeted in a similar effort.
This latest attack relied on two of the most-exploited Windows® vulnerabilities to date—CVE-2010-3333 and CVE-2012-0158—to infiltrate the target networks. This suggests that the organizations were running on unpatched, vulnerable systems that made them more susceptible to threats.
Aside from exploiting those vulnerabilities, the threat actors used basic steganography. This means they were able to conceal malicious code in JPEG files popularly used as Windows XP wallpapers. Steganography, although not a new cybercriminal tactic, is not commonly used in targeted attacks. That being said, there are possible reasons why the threat actors might have chosen this approach:
- As of the first half of this year, almost 17% of systems in Taiwan and 13% in the Philippines still run on Windows XP. Given that it takes a longer for larger agencies to upgrade their systems, there is a high probability that the targets of this campaign still use the legacy OS.
- There is also a possibility that the threat actors used this form of steganography because they either still use the outdated OS themselves or have in-depth knowledge of it.
The Infiltration and Infection Chain
The attack begins with emails with crafted documents as attachment. To infiltrate target networks, the attackers relied on crafty social engineering tricks to convince targets to double-click the attachments.
Figure 2. Spear-phishing email sample
Opening the attachments leads to the execution of malware that downloads an image file to the system. Some attachments open decoy documents to hide their malicious nature.
Closer inspection of the downloaded image file reveals that it uses steganography to hide the malicious content. It will decrypt executable files in memory and will not save it to the disks. These files are installers and will drop the backdoor BKDR_YAHAMAM. With the backdoor’s capabilities of downloading, uploading, and creating a remote shell, it can easily conduct the next phase of its attack which is to find other targets within its reach.
Critical Call for Targeted Entities
Operation Tropic Trooper is not highly sophisticated. But the fact that it has attained some degree of success and has managed to infiltrate crucial organizations in both Taiwan and the Philippines shows the urgent need for targeted entities to rectify their shortcomings in terms of security.
Knowing that attackers are still using old techniques and exploiting known vulnerabilities will make it easier for the targeted organizations to pinpoint and fix security gaps in their networks.
Building threat intelligence is crucial in the fight against targeted attacks. Identifying the tools, tactics, and procedures (TTPs) that threat actors use based on external reports and internal historical and current monitoring can help create a strong database of indicators of compromise (IoCs) that can serve as basis for action.
Using the right tools for advanced threat protection should also be part of an expanded security monitoring strategy. This includes establishing and empowering incident response teams and training employees, partners, and vendors on social engineering and computer security.
You can download the paper from this link: Operation Tropic Trooper: Relying on Tried-and Tested Flaws to Infiltrate Secret Keepers.