Researchers have spotted a new campaign linked with the Chinese hacking group, named Tropic Trooper. The campaign used the Nimbda loader and a new variant of the Yahoyah trojan.
A report from CheckPoint disclosed the recent campaign and claims that the attackers displayed in-depth cryptographic knowledge.
The attackers extended the AES specification in a custom implementation by performing the inverted sequence of round operations twice.
The trojan is bundled in a greyware tool named SMS Bomber, which is used for DoS attacks against phones. Such types of tools are generally used by beginner threat actors who want to carry out attacks against sites.
How does the infection work?
The infection starts with downloading a malicious version of SMS Bomber, which contains the tool's binary and standard functionality.
The download has been modified to add additional code that injects into a notepad[.]exe process.
The downloaded .exe file is the Nimbda loader that has SMS Bomber as an embedded executable.
The Yahoyah variant
The Nimbda loader injects shellcode inside the notepad process to reach a GitHub repository, gets an obfuscated executable, decodes, and executes it using process hollowing in dllhost[.]exe.
This payload is a new variant of Yahoyah, which collects data about the host and then sends it to the C2 server. The collected information includes MAC address, computer name, and OS version, among others.
The final payload, dropped by the Yahoyah executable, is inserted in a JPG image using steganography. The .exe is spotted as a TClient backdoor, used by Tropic Trooper in several past campaigns.
The Tropic Trooper group seems to be focusing on espionage attacks. It has used SMS Bomber for narrow targeting based on collected intelligence during espionage. Thus, it is strongly recommended to protect sensitive information with encryption and proper access control.