A new threat campaign was attributed to the Chinese-speaking threat group, Tropic Trooper, who has utilised the Nimbda loader and a new strain of the Yahoyah malware in attacks.
Researchers revealed the campaign’s details, claiming that the threat actors showed competent knowledge of cryptography. The attackers widen the AES specification in a custom implementation by running the inverted sequence of round operations twice.
The Yahoyah trojan is then inserted into a greyware tool called SMS bomber, which malicious entities utilise for distributed denial-of-service (DDoS) attacks against mobile phones. These tools are commonly used by amateur or wannabe threat actors or hackers who want to execute attacks against small websites.
The attack of Tropic Trooper commences after the target downloaded a malicious version of SMS Bomber.
The Tropic Trooper infection commences by downloading a malicious variant of SMS Bomber. The variant contains the binary within the tool and standard feature. In addition, the download has been customised to include additional code that attaches to a notepad exe process. The downloaded notepad[.]exe file is the Nimbda loader that includes the SMS Bomber as an attached executable.
For the trojan, the Nimbda loader injects shellcode script inside the notepad process to reach a GitHub repository. The loader also obfuscates the executable, decodes, and executes it via process hollowing in dllhost[.]exe.
Yahoyah trojan’s new payload variant harvests data about the host and then sends it back to the command-and-control server operated by the threat actors. The harvested information includes data such as MAC address, OS version, and computer name.
The Yahoyah executable’s dropped final payload is attached to a JPG image through steganography. The researchers then noticed that the [.]exe is a TClient backdoor, used by Tropic Trooper in numerous other campaigns from their past activities.
The Chinese-speaking threat actors were executing cyber espionage attacks exclusively and showed interest in abusing the SMS Bomber. Security experts suggest that organisations adequately encrypt and access control to protect sensitive information.