The Philippines and Taiwan are the latest targets of “Operation Tropic Trooper,” an ongoing campaign that has been found to be using old infiltration tactics—two commonly exploited Windows vulnerabilities, social engineering methods, and basic steganography—to steal state and industry secrets since 2012, according to Trend Micro.
Throughout March to May 2015, Trend Micro’s researchers noted that 62% of the Tropic Trooper-related malware infections targeted Taiwanese organizations while the remaining 38% zoned in on Philippine entities.
Specific targets included government institutions, military agencies, and companies in the heavy industry in the countries mentioned.
Threat actors of the campaign are familiar with their target organizations’ networks and know which hooks to use to bait them. By crafting spear-phishing emails attached with seemingly interesting documents that hint at planned bombings, resumes, or government budget, the attached documents attacked two commonly exploited Windows vulnerabilities, CVE-2010-3333 and CVE-2012-0158 to be able to run a Trojan.
The Trojan, TROJ_YAHOYAH, eventually downloads and decrypts a malicious image or decoy file. The downloaded images appear harmless and look similar to default wallpapers in Windows XP systems. However, encrypted into them via simple steganography is BKDR_YAHAMAM, a malware that steals data from the system, kills processes and services, deletes files and directories, puts systems to sleep, and performs other backdoor capabilities.
Government agencies, military organizations, and heavy industries all harbor secrets that may prove detrimental if destroyed or stolen. The routines found in Operation Tropic Trooper are relatively less sophisticated compared to other targeted attack campaigns, but it has shown that similar targets may still be successfully infiltrated using the same old tactics. Unfortunately, even old threats may work against networks that store highly sensitive information.
It is important to note that the infiltration could have been prevented or prepared for using proactive methods and technologies like vulnerability patching, security training, and antimalware detection. As of the first half of this year, almost 17% of systems in Taiwan and 13% in the Philippines still run on Windows XP. Given that it takes a longer for larger agencies to upgrade their systems, there is a high probability that the targets of this campaign still use the legacy OS. There is also a possibility that the threat actors used this form of steganography because they either still use the outdated OS themselves or have in-depth knowledge of it.
It is vital for governments and companies to look into threat intelligence and establishing a custom defense strategy for network administrators to not be victimized by Operation Tropic Trooper and other similar attacks.
Operation Tropic Trooper campaign flow
