Collecting In the Dark: Tropic Trooper Targets Transportation and Government
While analyzing samples, we found that the C&C server was already inactive. Without knowing the traffic between SmileSvr and C&C server, we could not fully understand all functions. However, most of the backdoor functions are listed here:
| Command code | Function |
| 0x5001 | Opens/Reads specified file |
| 0x5002 | Unknown |
| 0x5004 | Opens/Writes specified file |
| 0x5006 | Opens command shell |
| 0x5007 | Unknown |
| 0x5009 | Closes command shell |
| 0x500A | File System Traversal |
| 0x500C | Checks environment information |
| 0x500E | Unknown |
As for the SSL version of SmileSvr, the capability of SSL communication is built by using wolfSSL, which is a lightweight, C-language based SSL/TLS library. The backdoor functions of SSL version SmileSvr are similar to the ICMP ones. The threat actors just use it to develop new ways to support data transfer via an encrypted channel.
Customized Gh0st RAT
In our investigation, we also found a suspicious executable named telegram.exe. After analyzing the file, we found that it was a customized version of Gh0st RAT. Compared to the original Gh0st RAT (Gh0st beta 3.6), the difference is that the customized version supports a new function to discover information from active sessions on the host.
All supported functions for the customized Gh0st are shown in the following table:
| Command code | Function |
| 0xC8 | Terminates connection |
| 0xCA | File manager to handle file operations |
| 0xCB | Screen monitoring |
| 0xCC | Opens remote shell for command execution |
| 0XD5 | Gets active session information |
Post-Exploitation
After successfully exploiting the vulnerable system, the threat actor will use multiple hacking tools to discover and compromise machines on the victim’s intranet. In this stage, we also observed attempts to deploy tools to exfiltrate stolen information.
During our investigation, we found evidence of specific tools, which we listed in Table 1. With these tools, the attackers accomplish their goals (network discovery, access to the intranet, and exfiltration) step by step.
| Tool name | Purpose | Description |
| SharpHound | AD Discovery | Discovery tool to understand the relationship in an AD environment |
| FRPC | Intranet Penetration | Fast reverse proxy to help expose a local server behind a NAT or firewall to the internet |
| Chisel | Intranet Penetration | Fast TCP/UDP tunnel |
| RClone | Exfiltration | A command-line program to sync files and directories to and from different cloud storage providers |
Credential Dumping
We also observed that the group used multiple legitimate tools to dump credentials on compromised machines. It made good use of these tools to achieve its goal and keep its operation hidden and unobstructive.
For example, the group uses ProcDump.exe (a tool from Windows Sysinternals Suite that creates dumps of the processes in any scenario), which it renamed bootsys.exe:
c:\users\public\downloads\bootsys.exe -accepteula -ma lsass.exe C:\Users\Public\Downloads\lsass.dmp
The group dumps credentials stored in registries by using reg.exe:
reg.exe save hklm\sam C:\Users\Public\Downloads\sam.hive
reg.exe save hklm\sam c:\windows\temp\sa.dit
reg.exe save hklm\security c:\windows\temp\se.dit
reg.exe save hklm\system c:\windows\temp\sy.dit
The group would also dump memory from the specified process by using comsvcs.dll:
rundll32.exe C:\Windows\System32\comsvcs.dll MiniDump 764 C:\Windows\TEMP\dump.bin full
Indicator Removal
To avoid exposing their footprints to investigators, the threat actors made their own tool to wipe out the event logs on the victimized machine. By using this tool, they could clean specified event logs and make it hard for investigators to track their operations.
The usage is as follows:
Read More HERE
