Unnamed government entities in the Middle East and Malaysia have been under siege since June 2023 by a cyber campaign orchestrated by a threat actor known as Tropic Trooper.
“The sighting of this group’s Tactics, Techniques, and Procedures in critical government entities in the Middle East, particularly those related to human rights studies, marks a new strategic move for them,” explained Kaspersky security researcher Sherif Magdy in a recent report.
The attack targeted a public web server hosting Umbraco, an open-source content management system (CMS), with a new version of the China Chopper web shell used by Chinese-speaking threat actors for remote access to compromised servers.
The cyber-attack aimed to deploy a malware implant called Crowdoor, a variant of the SparrowDoor backdoor, but the efforts were ultimately unsuccessful.
Tropic Trooper, known by various aliases, has a history of targeting government and high-tech industries in Asia, with close ties to another intrusion set known as FamousSparrow.
The intrusion revealed a sophisticated attack chain that included exploiting vulnerabilities in web applications to deliver the malware implant.
The malware implant, Crowdoor, was designed to drop Cobalt Strike, maintain persistence on infected hosts, and act as a backdoor for data exfiltration and other malicious activities.
“The attacker attempted to evade detection by uploading newer samples of their backdoors, increasing the risk of detection in the future,” noted Magdy.
This intrusion, targeting a content management platform related to human rights studies in the Middle East, signifies a deliberate focus on sensitive information.