The Tropic Trooper APT that has been active at least since 2012, it was first spotted last year by security experts at Trend Micro when it targeted government ministries and heavy industries in Taiwan and the military in the Philippines.
Now researchers from Palo Alto Networks targeted the secretary general of Taiwan’s Executive Yuan and a fossil fuel provider with a strain of malware called Yahoyah. The attackers leverage an exploit for the CVE 2012-0158 vulnerability, the same flaw was exploited by many other APT groups, including Lotus Blossom, NetTraveller, and The Four Element Sword ATP.
Palo Alto Networks discovered that the group used Poison Ivy for his campaigns, a circumstance that emerged in the analysis of TrendMicro.
“The attacks in this case are associated with a campaign called Tropic Trooper, which has been active since at least 2011 and is known for heavily targeting Taiwan. One of the attacks used their known Yahoyah malware, but the other attack deployed the widely available Poison Ivy RAT.” state the report published by Palo Alto Networks. “This confirms the actors are using Poison Ivy as part of their toolkit, something speculated in the original Trend Micro report but not confirmed by them. Further analysis uncovered a handful of ties indicating the actors may also be using the PCShare malware family, which has not been previously tied to the group.”
The hackers launched a spear-phishing campaign to trick victims into opening specially crafted decoy documents. The Excel file sent to the Executive Yuan purports to come from a staff member at the Democratic Progressive Party, the document is related to political issues.
After infecting the target machine, the malware displays to the victim a clean document that contains the content of interest.
“All of the text uses Traditional Chinese, in contrast to Simplified Chinese, which is the official written language of the People’s Republic of China. Traditional Chinese is used in Taiwan, Hong Kong, Macau, and many overseas Chinese communities. The overarching theme of the spreadsheet is documenting protestor activity and/or progressive reform attempts in progress across Taiwan and the tone of the spreadsheet suggests it was compiled by progressive supporters.” continues the report.
(SecurityAffairs – hacking, APT)