Trend Micro reports that a Chinese state-sponsored threat actor known as 'Tropic Trooper' has been targeting transportation firms and government bodies associated with the transportation sector since the middle of 2020. The advanced persistent threat (APT), also known as Earth Centaur and KeyBoy, has been active since 2011, conducting espionage attacks targeting organizations in the government, healthcare, high-tech, and transportation sectors in Hong Kong, the Philippines, and Taiwan.
Trend Micro warned that the group attempted to access flight schedules, financial plans, and other internal documents at the target organizations, as well as any personal information available on the compromised hosts, including search histories, as part of the attacks carried out over the last year and a half.
According to the report, the analysts were able to tie the new Earth Centaur activity to Tropic Trooper after discovering comparable code in configuration decoding. “Currently, we have not discovered substantial damage to these victims as caused by the threat group,” Trend Micro’s analysts explained. “However, we believe that it will continue collecting internal information from the compromised victims and that it is simply waiting for an opportunity to use this data.”
The researchers noticed that one of the group's signature tactics, techniques, and procedures (TTPs) includes astute red teamwork. According to the research, Earth Centaur is skilled at evading security and remaining unnoticed. “Depending on the target, it uses backdoors with different protocols, and it can also use the reverse proxy to bypass the monitoring of network security systems. The usage of the open-source frameworks also allows the group to develop new backdoor variants efficiently, ” the report said.
According to the research, the threat group typically penetrates target computers via a weak Exchange or Internet Information Services (IIS) server, then drops backdoors such as ChiserClient and SmileSvr. According to the researchers, a customized version of Gh0st RAT then sets out to collect data from active sessions on the host. The attackers then go across the infiltrated organization's network and exfiltrate valuable data.
The rise in threat actor's interest in transportation and government coincides with the November passage of the Infrastructure Deal, which promises massive investments across the transportation sector, including $39 billion for transit modernization, $89.9 billion for public transit, $25 billion for airports, $66 billion in rail funding, and much more. The government is set to pour billions of dollars into the transportation sector, and Earth Centaur appears to be perfectly prepared to profit.