June 25, 2022 at
A hacker linked with the Tropic Trooper hacking group has been discovered using malware that has not been documented previously. The malware in question is coded using the Nim language, which is being used to target individuals and institutions as part of a new campaign.
Chinese hackers use SMS bomber tool to deploy malware
The novel loader, also known as “Nimbda,” has been entangled with the SMS Bomber tool written in Chinese. The tool is distributed illegally through the Chinese-speaking website.
The campaign using this malware was disclosed through a report published by Check Point. It said that the threat actors who created this malware were sophisticated by ensuring that the loader was executed in the same manner as the SMS Bomber tool.
The researchers added that “whoever crafted the Nim loader took special care to give it the same executable icon as the SMS Bomber that it drops and executes. Therefore the entire bundle works as a trojanized binary.”
The SMS Bomber tool functions similarly to what the name states. The tool allows a user to enter a phone number that is not their own so that they do not bombard the victim’s device with messages. The tool renders the device unusable by conducting a denial-of-service (DoS) attack.
The nature of the attacks shows that the attackers pay great attention to the targeted individuals and institutions. The binary is used as the SMS Bomber and a backdoor, showing that the attacks have not just been targeted at the victims who were using the tool, which would make them an “unorthodox target. Instead, the attackers were more targeted in their attacks to ensure everything went successfully.
Tropic Trooper hacking group
The threat actor group that is using this tactic to launch attacks is known as Tropic Trooper. The threat actor group also goes by other names such as KeyBoy, monikers Earth Centaur and Pirate Panda. The threat actor group has a track record of targeting victims based in the Philippines, Hong Kong, and Taiwan.
Tropic Trooper is a threat actor group that targets many institutions. Its target group includes government institutions, healthcare organizations, transport sectors, and high-tech companies.
A report about this hacking group was also shared by Trend Micro. The report said that the Chinese-speaking threat actor group was highly sophisticated and that it was the needed equipment to support its operations. The group has also pointed to its potential to transform the TTPs and ensure that they remain undetected. The group also uses various customized tools to compromise the targets.
The latest chain of attack was documented by Check Point. The attack chain commences with the compromised SMS Bomber tool, also known as the Nimbda loader. The loader executes an embedded executable. Therefore, the legitimate SMS bomber payload is executed while also launching the shellcode within the notepad.exe process.
Once this process has been executed, it begins a three-step process of infecting the targets. The steps involve downloading the next stage binary from the hidden IP address that will be noted down in the markdown file dubbed EULA.md. This file is hosted in the GitHub and Gitee repository hosted by the attacker.
The retrieved binary uses an upgraded version of a trojan called Yahoyah. The trojan is designed to gather information about the local wireless networks located within the location of the victim’s machine. The trojan is also used to collect information from other systems and metadata. It can also exfiltrate the details to a command-and-control (C2) server.
Yahoyah is also used as a platform to collect the final stage of the malware. The malware is downloaded as an image collected from the C2 server. The payload that is encoded steganographically also functions as a backdoor that is also known by other names such as TClient. The group deployed the malware to launch a wide range of other campaigns.
“The observed activity cluster paints a picture of a focused, determined actor with a clear goal in mind. Usually, when a third-party benign (or benign-appearing) tools are hand-picked to be inserted into an infection chain, they are chosen to be the least conspicuous possible; the choice of an “SMS Bomber” tool for this purpose is unsettling and tells a whole story the moment one dares to extrapolate a motive and an intended victim,” the researchers added.