Hackers targeting government groups is nothing new. Governing agencies across nearly every country have long been top priorities for cybercriminals due to the large depositories of information these groups keep.
Recently, however, one hacking organization has been grabbing headlines after targeting private sector institutions including government and military agencies, as well as certain companies in the public heavy industry in Taiwan and the Philippines, according to Trend Micro.
What makes this hacking campaign – dubbed "Operation Tropic Trooper" – unique is the tactics being used by the group are legacy, basic strategies. The approach has clearly been successful, as the campaign has been operating and stealing sensitive data for the past three years.
What is Operation Tropic Trooper?
According to Trend Micro researchers, the malicious actors behind Operation Tropic Trooper may have been operating as early as 2011, as the malware attackers utilized in 2012 attacks share characteristics with samples uncovered the year before.
Researchers dubbed the campaign Operation Tropic Trooper due to the type of targets the group looks to attack – including major government organizations and corporations in the Asia-Pacific region.
"The threat actors behind Operation Tropic Tropper – we named specifically for its choice of targets – aim to steal highly classified information from several Taiwanese government ministries and heavy industries as well as the Philippine military," Trend Micro threat analyst Kervin Alintanahin wrote in a blog post.
Through its research, Trend Micro was able to establish a break-down as far as attack targets, and found that 62 percent targeted Taiwanese organizations and the other 38 percent focused on Philippine institutions. Researchers also discovered that the command-and-control servers being utilized in the attacks resided mainly in Taiwan and the U.S., with others in Hong Kong and the United Arab Emirates.
How do they attack?
In the vast majority of attacks, Operation Tropic Trooper has leveraged two Windows vulnerabilities, CVE-2010-3333 and CVE-2012-0158, some of the most exploited weaknesses for hackers. The group leverages spear-phishing emails to target these particular vulnerabilities, which have been around since 2010 and 2012 respectively. Hackers increase the likelihood of infection by using clever social engineering strategies, including contextually relevant subjects, content and specifically-named attachments to urge recipients to open and download the files, a Trend Micro white paper explained. One email contained an attachment titled "Statement," to allude that the document was a receipt or similarly important item. Other file names include "關於104年中央政府總預算.doc (translation: About 104 years total central government budget.doc)," "Troops Disposition 26 FEB 13.doc," and "[REDACTED]自荐信及个人简历.doc (translation: [REDACTED] cover letter and your resume.doc)."
When victims open the files, a malicious executable file – usually a downloader that accesses a compromised site to download an image file – is run. Some attachments open legitimate-appearing documents to cover their tracks, but some simply run the downloader, identified as TROJ_YAHOYA, which has both 32- and 64-bit support. TROJ_YAHOYA then downloads an executable, encrypted image file onto the victim's system, which loads and executes in memory. This file is then able to decrypt, load and execute the mail installer within the machine's memory.
This main installer decrypts and installs another downloader, TROJ_YAHAMAM, as well as a backdoor-laced image file, known as BKDR_YAHAMAM. In addition to encrypting Command-and-Control communication, this file also loads and executes within memory, and proceeds to install a rootkit, RTKT_HIDEPORT.ZTCA-XO. It is this rootkit that is able to finally execute the malicious routines and steal sensitive data.
"The attached documents attack two commonly exploited Windows vulnerabilities, CVE-2010-3333 and CVE-2012-0158 to be able to run a Trojan," Trend Micro explained. "The Trojan, TROJ_YAHOYAH, eventually downloads and decrypts a malicious image or decoy file. [E]ncrypted into them via simple stenography is BKDR_YAHAMAM, a malware that steal sdata from the system, kills processes and services, deletes files and directories, puts systems to sleep, and performs other backdoor capabilities."
Protecting against infection
While the motivations behind the campaign have yet to come to light, it is clear who the targets are and what the hackers are after. And while the strategies utilized in the attacks are less advanced than others seen recently, this does not make Operation Tropic Trooper any less dangerous.
"Operation Tropic Trooper is not highly sophisticated," Trend Micro noted. "But the fact that it has attained some degree of success and has managed to infiltrate crucial organizations in both Taiwan and the Philippines shows the urgent need for targeted entities to rectify their shortcomings in terms of security."
Protection is particularly important for those that fall into the target categories, including Taiwan- and Philippines-based government agencies, military institutions and heavy industry corporations. One step toward better security is to ensure that the main Windows vulnerabilities utilized in the attack – CVE-2010-3333 and CVE-2012-0158 – have been patched and are therefore inaccessible to attackers. Trend Micro researchers also recommend that network and system administrators block user access to C&C servers related to the attack.
In addition, users and executives alike can also be on the lookout for any suspicious looking emails or attachments that could signal the beginning of an attack. Trend Micro's white paper includes a range of helpful information here, including the identified attachment names being used, as well as the download links. Administrators can consult this list to check the legitimacy of any email messages or attached documents.