A sophisticated and well-equipped cyberespionage group has been targeting the transportation industry and government agencies connected to the sector since July 2020, yet another uptick in malicious activities that are “just the tip of the iceberg.”
Trend Micro researchers Nick Dai, Ted Lee, and Vickie Su wrote in a report published last week that the group attempted to access internal documents (such as flight schedules and financial plans) and personal information on compromised hosts (such as search histories).
Earth Centaur, also known as Pirate Panda and Tropic Trooper, is a long-running threat group focused on information theft and espionage that has targeted government, healthcare, transportation, and high-tech industries in Taiwan, the Philippines, and Hong Kong since 2011.
As a Chinese-speaking actor, the hostile agents use spear-phishing emails with weaponized attachments to exploit known vulnerabilities while simultaneously advancing their malicious tools with obfuscation, stealthiness, and striking power.
Red teamwork is a strong point of this threat group, the researchers explained. The group knows how to bypass security features and keep its operation unobtrusive. Its use of open-source frameworks enables it to develop new backdoor variants with ease.”
By May 2020, attackers were deploying a USB trojan dubbed USBFerry to attack physically isolated networks belonging to government institutions and military entities in Taiwan and the Philippines with the intent of siphoning sensitive data through removable flash drives.
Trend Micro details the latest multi-stage intrusion sequence, in which the group exploits vulnerabilities in IIS servers and Exchange servers to install a web shell, which is then exploited to download a . NET-based Nerapack loader and a first-stage backdoor called Quasar on the compromised system.
In addition to this, they drop a slew of second-stage implants like ChiserClient, SmileSvr, ChiserClient, HTShell, and bespoke versions of Lilith RAT and Gh0st RAT, depending on the victim to retrieve further instructions from a remote server, download additional payloads, perform file operations, run arbitrary commands, and exfiltrate results back to the attacker.
It doesn’t end there. After successful exploitation of the system, Tropic Trooper also attempts to breach the intranet, dump credentials, and wipe out event logs from the infected machines using a specific set of tools. Also put to use is a command-line program called Rclone that enables the actor to copy harvested data to different cloud storage providers. “At present, we have not discovered substantial damage to these victims as a result of the threat group,” Trend Micro’s analysts explained. Nevertheless, we believe that it will continue collecting internal information from compromised victims and is simply waiting for an opportunity to use this data.”
In addition to the new capabilities developed for their malicious software to linger on infected hosts and avoid detection, the findings are notable because of the steps advanced persistent threat (APT) takes to avoid detection and the critical nature of the targeted entities.
Researchers said the group was able to map their target’s network infrastructure and bypass firewalls. “It uses backdoors with different protocols, which are deployed based on the victim. It has also developed customized tools to evade security monitoring in various environments. It exploits vulnerable websites and uses them as [command-and-control] servers.”