Unveiling activities of Tropic Trooper 2023: deep analysis of Xiangoop Loader and EntryShell payload

Virus Bulletin :: Unveiling activities of Tropic Trooper 2023: deep analysis of Xiangoop Loader and EntryShell payload Newsletter VB Conference VB Testing Bulletin Blog Unveiling activities of Tropic Trooper 2023: deep analysis of Xiangoop Loader and EntryShell payload Thursday 5 October 16:30 - 17:00, Red room Suguru Ishimaru (ITOCHU Cyber & Intelligence), Hajime Yanagishita (MACNICA) & Yusuke Niwa (ITOCHU Cyber & Intelligence) The Tropic Trooper (also known as KeyBoy and Pirate Panda) [ 1 ] is an infamous APT actor that has been highly active since 2011, according to Trend Micro [ 2 ]. This group has previously targeted various sectors, including government, healthcare, transportation and high-tech industries in Taiwan, the Philippines, and Hong Kong. Interestingly, our investigation has revealed that in 2023, they conducted persistent campaigns targeting the offices of specific industries in China for over two months. Through our extensive long-term investigation, we discovered new malware and tactics, techniques, and procedures (TTPs). In November 2022, we observed this actor focusing on targeting overseas branch offices of manufacturing industries, particularly in China. The initial infection method involved SMS, and the malware was a variant of the KeyBoy malware, which we named 'EntryShell malware'. In May 2023, a local office in China was attacked with EntryShell and a Cobalt Strike beacon delivered via spear-phishing emails. Additionally, we encountered an intriguing mystery initial infection that suggests the actor may have exploited a local branch's Wi-Fi access point in an undisclosed manner in July 2023. Throughout our investigation, we collected and analysed nearly 200 samples, including loader modules, payloads, second-stage malware, and post-exploitation tools related to this campaign. The group primarily utilizes a legitimate McAfee executable file and a malicious DLL file, 'McVsoCfg.dll', employing side-loading techniques to infect fileless malware like EntryShell and the Cobalt Strike beacon. We have named the malicious DLL file 'Xiangoop Loader', which contains two malicious functions: an installer and a loader. Furthermore, it utilized a simple, yet effective and unconventional obfuscation technique involving an extensive amount of junk code. The astonishing aspect lies in the quantity; for example, the data size of the function responsible for initializing AES SBOX in this sample amounts to 586,784 bytes, including noise, equivalent to 218,309 lines. When attempting to open this function in IDA Pro, a tool favoured by reverse engineers, the program flow exceeds 20,000 nodes, making it challenging to analyse easily. In the second-stage sample that follows, additional obfuscation with Control Flow Flattening (CFF) [ 3 ] was applied, rendering it unreadable for humans. Furthermore, we have discovered a new approach to DLL side loading, involving the implementation of separate Export functions in individual DLLs for specific loader functions. These functions are then loaded from the main malicious DLL file. This technique aims to evade security products and obstruct research. Even if some DLLs are acquired for analysis, malware analysts must fully analyse all DLL files, making investigation and analysis challenging. We are particularly interested in the implemented cryptographic algorithms, such as X25519 (Elliptic Curve Cryptography) for key generation, Salsa20 for key generation and payload decryption, and Poly-1305 for check digits for successful decryption. Regarding payloads, we have named the fileless malware 'EntryShell', a variant of the KeyBoy malware, due to similarities in backdoor command IDs and debug messages with old KeyBoy samples. The embedded malware config was encrypted with a unique algorithm, which is also intriguing. Furthermore, our DFIR results from a compromised host revealed a different type of malware as the third-stage malware, which is a variant of SparrowDoor, and we have named it 'Crowdoor' malware. We will also provide details about indicators of compromise (IoCs), malware samples, logs, commands, and post-exploitation tools in this presentation. In summary, based on our two-month investigation of Tropic Trooper, we will present a detailed analysis of the malware, highlight differences from previous operations as new TTPs, and delve into the tools and commands used in the lateral movement stage. [1] https://attack.mitre.org/groups/G0081/ [2] https://www.macnica.co.jp/business/security/security-reports/143962/ (in Japanese) [3] https://github.com/obfuscator-llvm/obfuscator/wiki/Control-Flow-Flattening Download slides for this talk Suguru Ishimaru In 2023, Suguru entered ITOCHU Cyber & Intelligence (ICI) as a senior cybersecurity researcher to analyse malware, to research Advanced Persistent Threats (APTs), to review security solutions and to handle incident response. Before moving to ICI, he worked for around 15 years as a senior researcher at Global Research and Analysis Team (GReAT) in Kaspersky. Based on his investigations, he posted technical blogs in securelist.com and given presentations at security conferences including AVTokyo, HITCON pacific, JSAC, FIRST TC Bali, Internet Week, HITCON community, Botconf, Objective by the sea and GReAT Ideas Green Tea Edition. Hajime Yanagishita Hajime is a security researcher at MACNICA. His major areas of research include APT campaign tracking and malware analysis for fighting cyber threats to protect users. Some of his work has been presented at several security conferences such as JSAC2018, JSAC2021, JSAC2022, HITCON Pacific 2018 and CONFidence 2020. Yusuke Niwa Yusuke is a senior security researcher at ITOCHU Cyber & Intelligence (ICI), protecting the cybersecurity of ITOCHU and its group companies as a member of ITOCHU CSIRT(ITCCERT). He also specializes in researching and analysing emerging threat trends such as email spam, APT attacks and cybercrime. Prior to joining ITCCERT, he worked as a security analyst for Symantec in threat monitoring for the APAC region. He has had the opportunity to present at JSAC2020, JSAC2021, JSAC2022 and GReAT Ideas Green Tea Edition (2021) conferences and is a contributor to MITRE ATT&CK v9. CISSP, GCFA, GCFR, GREM, GCIH and GCIA. Back to VB2023 Programme page Back to VB2023 conference page Register for VB2023 Other VB2023 papers Targeted attacks using secure USB VB2023 paper: Targeted attacks using secure USB Tales from a cloud CSIRT - let’s deep dive into a Kubernetes (k8s) infection VB2023 paper: Tales from a cloud CSIRT - let’s deep dive into a Kubernetes (k8s) infection RedStinger: new APT discovered amid Russia-Ukraine conflict VB2023 paper: RedStinger: new APT discovered amid Russia-Ukraine conflict The evolution of TA551 VB2023 paper: The evolution of TA551 Let's go door with KCP VB2023 paper: Let's go door with KCP Supply chain attack targeting South Asian government delivers Shadowpad VB2023 paper: Supply chain attack targeting South Asian government delivers Shadowpad Abusing Electron-based applications in targeted attacks VB2023 paper: Abusing Electron-based applications in targeted attacks Darkbit decoded: analysis of an Iranian-sponsored attack VB2023 paper: Darkbit decoded: analysis of an Iranian-sponsored attack Lazarus campaigns and backdoors in 2022-2023 VB2023 paper: Lazarus campaigns and backdoors in 2022-2023 Sheep’s clothing of deep & dark web operators: there are no secrets you can hide forever VB2023 paper: Sheep’s clothing of deep & dark web operators: there are no secrets you can hide forever Side loading is not dead: the Chinese and the Korean way VB2023 paper: Side loading is not dead: the Chinese and the Korean way South Korean Android banking menace - FakeCalls VB2023 paper: South Korean Android banking menace - FakeCalls The history and tactics of visa-centric scams in search, spam, and social apps VB2023 paper: The history and tactics of visa-centric scams in search, spam, and social apps Terror in Peru: the Zanubis banking trojan VB2023 paper: Terror in Peru: the Zanubis banking trojan Looking into TUT’s tomb: the universe of threats in LATAM VB2023 paper: Looking into TUT’s tomb: the universe of threats in LATAM Mac-ing sense of the 3CX supply chain attack: analysis of the macOS payloads VB2023 paper: Mac-ing sense of the 3CX supply chain attack: analysis of the macOS payloads Don’t flatteN yourself: deobfuscating malware with Control-Flow Flattening VB2023 paper: Don’t flatteN yourself: deobfuscating malware with Control-Flow Flattening When a botnet cries: detecting botnets infection chains VB2023 paper: When a botnet cries: detecting botnets infection chains Look out! Outlook’s gonna get you! VB2023 paper: Look out! Outlook’s gonna get you! "Undocumented"[2:] MSI format. Take it. We are gganbu, aren't we? VB2023 paper: "Undocumented"[2:] MSI format. Take it. We are gganbu, aren't we? R2R stomping - are you ready to run? VB2023 paper: R2R stomping - are you ready to run? Stolen cookies, stolen identity: how malware makers are exploiting the insecurity of browser data storage VB2023 paper: Stolen cookies, stolen identity: how malware makers are exploiting the insecurity of browser data storage May the Shadow Force with Maggie – Shadow Force Group characteristics and relationship to Maggie VB2023 paper: May the Shadow Force be with Maggie – Shadow Force Group characteristics and relationship to Maggie Dancing the night away with named pipes VB2023 paper: Dancing the night away with named pipes Ransoming and clipping for illicit cryptocurrency gains VB2023 paper: Ransoming and clipping for illicit cryptocurrency gains Into the Cumulus: Scarcruft bolsters arsenal for targeting individual Android devices VB2023 paper: Into the Cumulus: Scarcruft bolsters arsenal for targeting individual Android devices Intent-based approach to detect email account compromise VB2023 paper: Intent-based approach to detect email account compromise How to develop MoleRats defensive strategies: hunt, counterattack and adversary simulation VB2023 paper: How to develop MoleRats defensive strategies: hunt, counterattack and adversary simulation Generic script emulation VB2023 paper: Generic script emulation Building a cybersecurity AI dataset for a secure digital society VB2023 paper: Building a cybersecurity AI dataset for a secure digital society The Dragon who sold his Camaro: reversing a custom router implant VB2023 paper: The Dragon who sold his Camaro: reversing a custom router implant C2F2: a framework for detecting C2 frameworks at scale VB2023 paper: C2F2: a framework for detecting C2 frameworks at scale MEGALO-(414E)-DON: uncovering data espionage, blackmailing and shell companies in mobile lending apps VB2023 paper: MEGALO-(414E)-DON: uncovering data espionage, blackmailing and shell companies in mobile lending apps Teasing the secrets from threat actors: malware configuration extractors VB2023 paper: Teasing the secrets from threat actors: malware configuration extractors Web3 will bite you in the Web 2.0: exploring IPFS threats VB2023 paper: Web3 will bite you in the Web 2.0: exploring IPFS threats The Dropping Elephant never dropped VB2023 paper: The Dropping Elephant never dropped Corporate users in the crosshairs as malvertising gains momentum again VB2023 paper: Corporate users in the crosshairs as malvertising gains momentum again SharpTongue: pwning your foreign policy, one interview request at a time VB2023 paper: SharpTongue: pwning your foreign policy, one interview request at a time DNS "takeover": the full journey and redemption VB2023 paper: DNS "takeover": the full journey and redemption Infostealers: investigate the cybercrime threat in its ecosystem VB2023 paper: Infostealers: investigate the cybercrime threat in its ecosystem The rise of China-based financially motivated threat actors? VB2023 paper: The rise of China-based financially motivated threat actors? TIPS: Exploring the efficacy of community-driven TI: a real-world approach VB2023 TIPS presentation: Exploring the efficacy of community-driven TI: a real-world approach TIPS: Little crumbs can lead to giants VB2023 TIPS presentation: Little crumbs can lead to giants TIPS: All for value and value for all – 'Responding RFIs: the merit lies in the difficulty' VB2023 TIPS presentation: All for value and value for all – 'Responding RFIs: the merit lies in the difficulty' TIPS: Why joining forces can help solve the crime… or not VB2023 TIPS presentation: Why joining forces can help solve the crime… or not TIPS: Dream on: exploring the community effect in cybersecurity VB2023 TIPS presentation: Dream on: exploring the community effect in cybersecurity TIPS: AI-based digital evidence enhancement technology for profiling attack groups and techniques to respond to cybersecurity threats VB2023 TIPS presentation: AI-based digital evidence enhancement technology for profiling attack groups and techniques to respond to cybersecurity threats TIPS: The global state of scams 2023 VB2023 TIPS presentation: The global state of scams 2023 TIPS: Securing the future: the vital role of computer security vendors in an AI-driven world VB2023 TIPS presentation: Securing the future: the vital role of computer security vendors in an AI-driven world TIPS: Emotet in 2023: a comprehensive overview for decision makers on the resurgence, evolution and threat landscape VB2023 TIPS presentation: Emotet in 2023: a comprehensive overview for decision makers on the resurgence, evolution and threat landscape TIPS: Operation Cookiemonster – the law enforcement response to the notorious Genesis Market VB2023 TIPS presentation: Operation Cookiemonster – the law enforcement response to the notorious Genesis Market Deobfuscating virtualized malware using Hex-Rays decompiler VB2023 paper: Deobfuscating virtualized malware using Hex-Rays decompiler Workshop: Modern threat hunting VB2023 workshop led by VirusTotal Applied one-to-many code similarity analysis using MCRIT VB2023 presentation: Applied one-to-many code similarity analysis using MCRIT Keynote address: Solving cyber insecurity VB2023 keynote: Solving cyber insecurity TIPS: Evolution vs extinction & the 10th man VB2023 TIPS presentation: Evolution vs extinction & the 10th man Data mining, darknet and chat monitoring - a deep dive into Telegram monitoring and the latest features of the AIL framework VB2023 presentation: Data mining, darknet and chat monitoring - a deep dive into Telegram monitoring and the latest features of the AIL framework Keynote: The physics of information asymmetry VB2023 keynote: The Physics of Information Asymmetry Turla and Sandworm come filelessly VB2023 paper: Turla and Sandworm come filelessly W3LL phishing kit - the tools, the criminal ecosystem, and the market impact VB2023 paper: W3LL phishing kit - the tools, the criminal ecosystem, and the market impact Unravelling the MOVEit vulnerability: a journey from exploitation to Clop ransomware infestation VB2023 paper: Unravelling the MOVEit vulnerability: a journey from exploitation to Clop ransomware infestation Everything happens for a reason: the choices made by ransomware operators VB2023 paper: Everything happens for a reason: the choices made by ransomware operators Hit the bullseye: detecting browser exploits abusing the X memory in WebAssembly VB2023 paper: Hit the bullseye: detecting browser exploits abusing the X memory in WebAssembly Browser extensions as an emerging threat vector: unveiling the MANGO malware VB2023 presentation: Browser extensions as an emerging threat vector: unveiling the MANGO malware FirePeony: a ghost wandering around the Royal Road VB2023 paper: FirePeony: a ghost wandering around the Royal Road $100 hardware backdoors – your old routers may be happily spilling corporate secrets VB2023 paper: $100 hardware backdoors – your old routers may be happily spilling corporate secrets USB flows in the Great River: classic tradecraft is still alive VB2023 paper: USB flows in the Great River: classic tradecraft is still alive Unveiling activities of Tropic Trooper 2023: deep analysis of Xiangoop Loader and EntryShell payload VB20203 paper: Unveiling activities of Tropic Trooper 2023: deep analysis of Xiangoop Loader and EntryShell payload It all makes sense if you don't think about it - misinformation in malware analysis VB2023 presentation: It all makes sense if you don't think about it - misinformation in malware analysis Reinventing the steal: Arid Viper now with a Rusty flavour VB2023 paper: Reinventing the steal: Arid Viper now with a Rusty flavour Partner presentation: Reversing Nim binaries VB2023 partner presentation: Reversing Nim binaries Magniber's missteps: because even spiders trip over their own web VB2023 paper: Magniber's missteps: because even spiders trip over their own web Silent whispers of malware: unveiling hidden threats in legitimate network traffic VB2023 paper: Silent whispers of malware: unveiling hidden threats in legitimate network traffic Addressing the ransomware threat from outside the lab VB2023 panel discussion: Addressing the ransomware threat from outside the lab We have placed cookies on your device in order to improve the functionality of this site, as outlined in our cookies policy . However, you may delete and block all cookies from this site and your use of the site will be unaffected. By continuing to browse this site, you are agreeing to Virus Bulletin's use of data as outlined in our privacy policy .