Check Point Research uncovered an activity cluster with ties to China-linked APT Tropic Trooper (aka Earth Centaur, KeyBoy, and Pirate Panda) which involved the use of a previously undescribed loader (dubbed “Nimbda”) written in Nim language.
The Tropic Trooper APT has been active at least since 2012, it was first spotted by security experts at Trend Micro in 2015, when the threat actors targeted government ministries and heavy industries in Taiwan and the military in the Philippines.
Nimbda works by injecting a piece of code into a launched notepad.exe process, it allows operators to to start a three-tier infection chain. The final payload encoded in the image is TClient, which is a backdoor that was used by the Tropic Trooper APT group in past campaigns.
The loader was bundled with a Chinese language greyware “SMS Bomber” tool that is most likely distributed in the Chinese underground. SMS Bomber allows a user to flood the victim’s phone number with a very long list of pre-baked HTTP requests asking for one-time codes, verification messages, password recoveries and the like. The attack aims at making the device unusable.
Experts pointed out that the attack is targeted in nature due to the spreading of a trojanized version of the SMS Bomber tool, which is a software of interest for specific audiences.
“Whoever crafted the Nim loader took special care to give it the same executable icon as the SMS Bomber that it drops and executes. Therefore the entire bundle works as a trojanized binary. That is: the victim launches what they think is just an SMS Bomber, but is actually an SMS Bomber plus a backdoor.” reads the post published by Check Point experts. “An attack making use of such a trojanized binary is necessarily aimed at a rather unorthodox target — people who’d use such an “SMS Bomber” tool in the first place.”
The threat actors also used a new variant of the ‘Yahoyah’ Trojan to gather information about local wireless networks. This version gather information collected by the original Yahoyah (i.e. Computer name, MAC address, OS version, installed AV products, and presence of WeChat and Tencent files) along with information about local wireless network SSIDs in the victim machine’s vicinity. The collected information is formatted and sent to the C&C server.
The encryption routine used to wrap the Yahoyah Trojan in this campaign is a custom implementation of AES, named by Check Point AEES.
Check Point identified dozens of hosts used for this campaign, experts pointed out that Chinese hosting providers have hosted most of the infrastructure used by the threat actor:
“The observed activity cluster paints a picture of a focused, determined actor with a clear goal in mind. Usually, when 3rd-party benign (or benign-appearing) tools are hand-picked to be inserted into an infection chain, they are chosen to be the least conspicuous possible; the choice of an “SMS Bomber” tool for this purpose is unsettling, and tells a whole story the moment one dares to extrapolate a motive and an intended victim.” the researchers concluded. “The surgical modifications to AES are evidence that this actor probably has a decent grasp of block cipher internals. And, finally, the addition of network scanning functionality to Yahoyah shows us that the tools at the disposal of threat actors will be honed and improved as time passes, one way or the other. It falls to the security industry to try to keep pace with these changes as they happen, and react accordingly.”
(SecurityAffairs – hacking, Tropic Trooper)