EXECUTIVE SUMMARY
Threat actors behind this campaign have been identified as Tropic Trooper, a known adversary with a history of targeting Chinese-speaking individuals and organisations in Taiwan, South Korea, and Japan. The campaign's primary objective is to deploy a trojanised SumatraPDF reader, which executes a multi-stage attack chain ultimately leading to the download and abuse of Visual Studio Code tunnels for remote access. The attackers use a combination of military-themed document lures and a custom AdaptixC2 Beacon listener, hosted on a GitHub repository, to gain remote access to compromised systems. This campaign showcases the adversary's ability to adapt and pivot their tactics, techniques, and procedures to achieve their objectives.[/subscribe_to_unlock_form]
EXECUTIVE SUMMARY
Threat actors behind this campaign have been identified as Tropic Trooper, a known adversary with a history of targeting Chinese-speaking individuals and organisations in Taiwan, South Korea, and Japan. The campaign's primary objective is to deploy a trojanised SumatraPDF reader, which executes a multi-stage attack chain ultimately leading to the download and abuse of Visual Studio Code tunnels for remote access. The attackers use a combination of military-themed document lures and a custom AdaptixC2 Beacon listener, hosted on a GitHub repository, to gain remote access to compromised systems. This campaign showcases the adversary's ability to adapt and pivot their tactics, techniques, and procedures to achieve their objectives.[emaillocker id="1283"]
The malware infection begins with the delivery of a trojanised SumatraPDF reader, which resembles the legitimate SumatraPDF executable but contains malicious code. Once executed, the malware downloads a decoy PDF and a second-stage shellcode payload from a C2 IP address. The shellcode is an AdaptixC2 Beacon agent that communicates with the C2 server using HTTP/S. The agent also uses a custom GitHub listener, hosted on a GitHub repository, to receive commands and instructions from the attacker. The C2 server hosts additional payloads, including a VS Code binary, which is downloaded and executed on the compromised system. The attackers use the remote access tunnel established through VS Code to interact with the compromised system.
This campaign highlights the importance of maintaining up-to-date software, particularly for commonly used applications like SumatraPDF and VS Code. Organisations should also implement robust endpoint protection, including antivirus software and a reputable firewall, to prevent malware infections. Regular patching and updates of operating systems and applications are also crucial in preventing exploitation of known vulnerabilities. Additionally, organisations should implement a robust security monitoring and incident response plan to quickly detect and respond to potential threats.
THREAT PROFILE:
| Tactic | Technique ID | Technique | Sub-technique |
| Initial Access | T1566.001 | Phishing | Spearphishing Attachment |
| Resource Development | T1608.002 | Stage Capabilities | Upload Tool |
| Resource Development | T1588.001 | Obtain Capabilities | Malware |
| Execution | T1204.002 | User Execution | — |
| Execution | T1106 | Native API | — |
| Execution | T1059.003 | Command and Scripting Interpreter | Windows Command Shell |
| Defense Evasion | T1036.001 | Masquerading | Invalid Code Signature |
| Defense Evasion | T1036.004 | Masquerading | Masquerade Task or Service |
| Defense Evasion | T1620 | Defense Evasion: Reflective Code Loading | — |
| Defense Evasion | T1027.007 | Obfuscated Files or Information | Dynamic API Resolution |
| Defense Evasion | T1027.013 | Obfuscated Files or Information | Encrypted/Encoded File |
| Defense Evasion | T1127 | Defense Evasion: Trusted Developer Utilities Proxy Execution | — |
| Discovery | T1016 | System Network Configuration Discovery | — |
| Collection | T1005 | Data from Local System | — |
| Command and Control | T1102.002 | Web Service | — |
| Command and Control | T1105 | Ingress Tool Transfer | — |
| Command and Control | T1132.001 | Data Encoding | Standard Encoding |
| Command and Control | T1573.001 | Encrypted Channel | Symmetric Cryptography |
| Command and Control | T1573.002 | Encrypted Channel | Asymmetric Cryptography |
| Exfiltration | T1001.003 | Data Obfuscation | Protocol Impersonation |
| Exfiltration | T1041 | Exfiltration Over C2 Channel | — |
REFERENCES:
The following reports contain further technical details:
https://www.darkreading.com/threat-intelligence/tropic-trooper-apt-takes-aim-home-routers-japanese-targets
https://www.zscaler.com/blogs/security-research/tropic-trooper-pivots-adaptixc2-and-custom-beacon-listener