Skip to content

G0081 Tropic Trooper

Tropic Trooper is an unaffiliated threat group that has led targeted campaigns against targets in Taiwan, the Philippines, and Hong Kong. Tropic Trooper focuses on targeting government, healthcare, transportation, and high-tech industries and has been active since 2011.123

Item Value
ID G0081
Associated Names Pirate Panda, KeyBoy
Version 1.4
Created 29 January 2019
Last Modified 26 April 2021
Navigation Layer View In ATT&CK® Navigator

Associated Group Descriptions

Name Description
Pirate Panda 4
KeyBoy 21

Techniques Used

Domain ID Name Use
enterprise T1071 Application Layer Protocol -
enterprise T1071.001 Web Protocols Tropic Trooper has used HTTP in communication with the C2.73
enterprise T1071.004 DNS Tropic Trooper‘s backdoor has communicated to the C2 over the DNS protocol.3
enterprise T1119 Automated Collection Tropic Trooper has collected information automatically using the adversary’s USBferry attack.3
enterprise T1020 Automated Exfiltration Tropic Trooper has used a copy function to automatically exfiltrate sensitive data from air-gapped systems using USB storage.3
enterprise T1547 Boot or Logon Autostart Execution -
enterprise T1547.001 Registry Run Keys / Startup Folder Tropic Trooper has created shortcuts in the Startup folder to establish persistence.73
enterprise T1547.004 Winlogon Helper DLL Tropic Trooper has created the Registry key HKCU\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell and sets the value to establish persistence.23
enterprise T1059 Command and Scripting Interpreter -
enterprise T1059.003 Windows Command Shell Tropic Trooper has used Windows command scripts.3
enterprise T1543 Create or Modify System Process -
enterprise T1543.003 Windows Service Tropic Trooper has installed a service pointing to a malicious DLL dropped to disk.8
enterprise T1132 Data Encoding -
enterprise T1132.001 Standard Encoding Tropic Trooper has used base64 encoding to hide command strings delivered from the C2.3
enterprise T1140 Deobfuscate/Decode Files or Information Tropic Trooper used shellcode with an XOR algorithm to decrypt a payload. Tropic Trooper also decrypted image files which contained a payload.23
enterprise T1573 Encrypted Channel Tropic Trooper has encrypted traffic with the C2 to prevent network detection.3
enterprise T1573.002 Asymmetric Cryptography Tropic Trooper has used SSL to connect to C2 servers.13
enterprise T1052 Exfiltration Over Physical Medium -
enterprise T1052.001 Exfiltration over USB Tropic Trooper has exfiltrated data using USB storage devices.3
enterprise T1203 Exploitation for Client Execution Tropic Trooper has executed commands through Microsoft security vulnerabilities, including CVE-2017-11882, CVE-2018-0802, and CVE-2012-0158.12
enterprise T1083 File and Directory Discovery Tropic Trooper has monitored files’ modified time.3
enterprise T1564 Hide Artifacts -
enterprise T1564.001 Hidden Files and Directories Tropic Trooper has created a hidden directory under C:\ProgramData\Apple\Updates\ and C:\Users\Public\Documents\Flash\.13
enterprise T1574 Hijack Execution Flow -
enterprise T1574.002 DLL Side-Loading Tropic Trooper has been known to side-load DLLs using a valid version of a Windows Address Book and Windows Defender executable with one of their tools.97
enterprise T1070 Indicator Removal on Host -
enterprise T1070.004 File Deletion Tropic Trooper has deleted dropper files on an infected system using command scripts.3
enterprise T1105 Ingress Tool Transfer Tropic Trooper has used a delivered trojan to download additional files.3
enterprise T1036 Masquerading -
enterprise T1036.005 Match Legitimate Name or Location Tropic Trooper has hidden payloads in Flash directories and fake installer files.3
enterprise T1106 Native API Tropic Trooper has used multiple Windows APIs including HttpInitialize, HttpCreateHttpHandle, and HttpAddUrl.3
enterprise T1046 Network Service Discovery Tropic Trooper used pr and an openly available tool to scan for open ports on target systems.53
enterprise T1135 Network Share Discovery Tropic Trooper used netview to scan target systems for shared resources.5
enterprise T1027 Obfuscated Files or Information Tropic Trooper has encrypted configuration files.13
enterprise T1027.003 Steganography Tropic Trooper has used JPG files with encrypted payloads to mask their backdoor routines and evade detection.3
enterprise T1566 Phishing -
enterprise T1566.001 Spearphishing Attachment Tropic Trooper sent spearphishing emails that contained malicious Microsoft Office and fake installer file attachments.25673
enterprise T1057 Process Discovery Tropic Trooper is capable of enumerating the running processes on the system using pslist.23
enterprise T1055 Process Injection -
enterprise T1055.001 Dynamic-link Library Injection Tropic Trooper has injected a DLL backdoor into dllhost.exe and svchost.exe.13
enterprise T1091 Replication Through Removable Media Tropic Trooper has attempted to transfer USBferry from an infected USB device by copying an Autorun function to the target machine.3
enterprise T1505 Server Software Component -
enterprise T1505.003 Web Shell Tropic Trooper has started a web service in the target host and wait for the adversary to connect, acting as a web shell.3
enterprise T1518 Software Discovery Tropic Trooper‘s backdoor could list the infected system’s installed software.3
enterprise T1518.001 Security Software Discovery Tropic Trooper can search for anti-virus software running on the system.2
enterprise T1082 System Information Discovery Tropic Trooper has detected a target system’s OS version and system volume information.53
enterprise T1016 System Network Configuration Discovery Tropic Trooper has used scripts to collect the host’s network topology.3
enterprise T1049 System Network Connections Discovery Tropic Trooper has tested if the localhost network is available and other connection capability on an infected system using command scripts.3
enterprise T1033 System Owner/User Discovery Tropic Trooper used letmein to scan for saved usernames on the target system.5
enterprise T1221 Template Injection Tropic Trooper delivered malicious documents with the XLSX extension, typically used by OpenXML documents, but the file itself was actually an OLE (XLS) document.2
enterprise T1204 User Execution -
enterprise T1204.002 Malicious File Tropic Trooper has lured victims into executing malware via malicious e-mail attachments.7
enterprise T1078 Valid Accounts -
enterprise T1078.003 Local Accounts Tropic Trooper has used known administrator account credentials to execute the backdoor directly.3

Software

ID Name References Techniques
S0190 BITSAdmin - BITS Jobs Exfiltration Over Unencrypted Non-C2 Protocol:Exfiltration Over Alternative Protocol Ingress Tool Transfer Lateral Tool Transfer
S0387 KeyBoy - Winlogon Helper DLL:Boot or Logon Autostart Execution Python:Command and Scripting Interpreter Windows Command Shell:Command and Scripting Interpreter Visual Basic:Command and Scripting Interpreter PowerShell:Command and Scripting Interpreter Commonly Used Port Windows Service:Create or Modify System Process Credentials from Web Browsers:Credentials from Password Stores Protocol Impersonation:Data Obfuscation File and Directory Discovery Hidden Window:Hide Artifacts Timestomp:Indicator Removal on Host Ingress Tool Transfer Keylogging:Input Capture Dynamic Data Exchange:Inter-Process Communication Obfuscated Files or Information Screen Capture System Information Discovery System Network Configuration Discovery
S0012 PoisonIvy - Application Window Discovery Registry Run Keys / Startup Folder:Boot or Logon Autostart Execution Active Setup:Boot or Logon Autostart Execution Windows Command Shell:Command and Scripting Interpreter Windows Service:Create or Modify System Process Data from Local System Local Data Staging:Data Staged Symmetric Cryptography:Encrypted Channel Ingress Tool Transfer Keylogging:Input Capture Modify Registry Obfuscated Files or Information Dynamic-link Library Injection:Process Injection Rootkit
S0596 ShadowPad - File Transfer Protocols:Application Layer Protocol DNS:Application Layer Protocol Web Protocols:Application Layer Protocol Non-Standard Encoding:Data Encoding Deobfuscate/Decode Files or Information Domain Generation Algorithms:Dynamic Resolution Indicator Removal on Host Ingress Tool Transfer Modify Registry Non-Application Layer Protocol Obfuscated Files or Information Process Discovery Process Injection Dynamic-link Library Injection:Process Injection Scheduled Transfer System Information Discovery System Network Configuration Discovery System Owner/User Discovery System Time Discovery
S0452 USBferry - Local Account:Account Discovery Windows Command Shell:Command and Scripting Interpreter Data from Local System File and Directory Discovery Peripheral Device Discovery Process Discovery Remote System Discovery Replication Through Removable Media Rundll32:System Binary Proxy Execution System Network Configuration Discovery System Network Connections Discovery
S0388 YAHOYAH - Web Protocols:Application Layer Protocol Deobfuscate/Decode Files or Information Ingress Tool Transfer Obfuscated Files or Information Security Software Discovery:Software Discovery System Information Discovery

References


  1. Horejsi, J., et al. (2018, March 14). Tropic Trooper’s New Strategy. Retrieved November 9, 2018. 

  2. Ray, V. (2016, November 22). Tropic Trooper Targets Taiwanese Government and Fossil Fuel Provider With Poison Ivy. Retrieved November 9, 2018. 

  3. Chen, J.. (2020, May 12). Tropic Trooper’s Back: USBferry Attack Targets Air gapped Environments. Retrieved May 20, 2020. 

  4. Busselen, M. (2020, April 7). On-demand Webcast: CrowdStrike Experts on COVID-19 Cybersecurity Challenges and Recommendations. Retrieved May 20, 2020. 

  5. Alintanahin, K. (2015). Operation Tropic Trooper: Relying on Tried-and-Tested Flaws to Infiltrate Secret Keepers. Retrieved June 14, 2019. 

  6. Alexander, G., et al. (2018, August 8). Familiar Feeling: A Malware Campaign Targeting the Tibetan Diaspora Resurfaces. Retrieved June 17, 2019. 

  7. Moore, S. et al. (2020, April 30). Anomali Suspects that China-Backed APT Pirate Panda May Be Seeking Access to Vietnam Government Data Center. Retrieved May 19, 2020. 

  8. Parys, B. (2017, February 11). The KeyBoys are back in town. Retrieved June 13, 2019. 

  9. Hulcoop, A., et al. (2016, November 17). It’s Parliamentary KeyBoy and the targeting of the Tibetan Community. Retrieved June 13, 2019. 

  10. Insikt Group. (2021, February 28). China-Linked Group RedEcho Targets the Indian Power Sector Amid Heightened Border Tensions. Retrieved March 22, 2021. 

Back to top