Tropic Trooper is an unaffiliated threat group that has led targeted campaigns against targets in Taiwan, the Philippines, and Hong Kong. Tropic Trooper focuses on targeting government, healthcare, transportation, and high-tech industries and has been active since 2011.(Citation: TrendMicro Tropic Trooper Mar 2018)(Citation: Unit 42 Tropic Trooper Nov 2016)
| Platform | Tactic | Technique | Description | Data Sources |
|---|---|---|---|---|
| Windows | persistence, privilege-escalation | New Service | Tropic Trooper installs a service pointing to a malicious DLL dropped to disk. | Windows Registry, Process monitoring, Process command-line parameters, Windows event logs |
| Linux, macOS, Windows | discovery | System Owner/User Discovery | Tropic Trooper used letmein to scan for saved usernames on the target system. |
File monitoring, Process monitoring, Process command-line parameters |
| Linux, macOS, Windows, AWS, GCP, Azure | discovery | System Information Discovery | Tropic Trooper has detected a target system’s OS version. | Azure activity logs, Stackdriver logs, AWS CloudTrail logs, Process monitoring, Process command-line parameters |
| macOS, Windows, AWS, GCP, Azure | discovery | Network Share Discovery | Tropic Trooper used netview to scan target systems for shared resources. |
Process monitoring, Process command-line parameters, Network protocol analysis, Process use of network |
| Linux, Windows, macOS, AWS, GCP, Azure | discovery | Network Service Scanning | Tropic Trooper used pr to scan for open ports on target systems. |
Netflow/Enclave netflow, Network protocol analysis, Packet capture, Process command-line parameters, Process use of network |
| Windows | defense-evasion | DLL Side-Loading | Tropic Trooper has been known to side-load DLLs using a valid version of Windows Address Book executable with one of their tools. | Process use of network, Process monitoring, Loaded DLLs |
| Linux, Windows, macOS | execution | Exploitation for Client Execution | Tropic Trooper has executed commands through Microsoft security vulnerabilities, including CVE-2017-11882, CVE-2018-0802, and CVE-2012-0158. | Anti-virus, System calls, Process monitoring |
| Linux, macOS, Windows | defense-evasion, privilege-escalation | Process Injection | Tropic Trooper has injected a DLL backdoor into a file dllhost.exe. | API monitoring, Windows Registry, File monitoring, DLL monitoring, Process monitoring, Named Pipes |
| Windows | defense-evasion, persistence | BITS Jobs | Tropic Trooper has leveraged the BITSadmin command-line tool to create a job and launch a malicious process. | API monitoring, Packet capture, Windows event logs |
| Linux, macOS, Windows | defense-evasion | Obfuscated Files or Information | Tropic Trooper has encrypted configuration files. | Network protocol analysis, Process use of network, File monitoring, Malware reverse engineering, Binary file metadata, Process command-line parameters, Environment variable, Process monitoring, Windows event logs, Network intrusion detection system, Email gateway, SSL/TLS inspection |
| Linux, macOS, Windows | command-and-control | Standard Cryptographic Protocol | Tropic Trooper uses SSL to connect to C2 servers. | Packet capture, Netflow/Enclave netflow, Malware reverse engineering, Process use of network, Process monitoring, SSL/TLS inspection |
| Windows, macOS, Linux | initial-access | Spearphishing Attachment | Tropic Trooper sent spearphishing emails that contained malicious Microsoft Office attachments. | File monitoring, Packet capture, Network intrusion detection system, Detonation chamber, Email gateway, Mail server |
| Linux, macOS, Windows | defense-evasion, persistence | Hidden Files and Directories | Tropic Trooper has created a hidden directory under C:\ProgramData\Apple\Updates</code>. |
File monitoring, Process monitoring, Process command-line parameters |
| Windows | defense-evasion | Template Injection | Tropic Trooper delivered malicious documents with the XLSX extension, typically used by OpenXML documents, but the file itself was actually an OLE (XLS) document. | Anti-virus, Email gateway, Network intrusion detection system, Web logs |
| Windows | defense-evasion | Deobfuscate/Decode Files or Information | Tropic Trooper used shellcode with an XOR algorithm to decrypt a payload. | File monitoring, Process monitoring, Process command-line parameters |
| Windows | persistence | Winlogon Helper DLL | Tropic Trooper creates the Registry key HKCU\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell and sets the value to establish persistence. |
Windows Registry, File monitoring, Process monitoring |
| Linux, macOS, Windows | command-and-control | Commonly Used Port | Tropic Trooper can use ports 443 and 53 for C2 communications via malware called TClient. | Packet capture, Netflow/Enclave netflow, Process use of network, Process monitoring |
| Linux, macOS, Windows | discovery | Process Discovery | Tropic Trooper enumerates the running processes on the system. | Process monitoring, Process command-line parameters |
| macOS, Windows | discovery | Security Software Discovery | Tropic Trooper searches for anti-virus software running on the system. | File monitoring, Process monitoring, Process command-line parameters |