A threat cluster linked to the Tropic Trooper hacking group has been identified employing previously undocumented malware developed in Nim language to attack targets as part of a newly revealed operation.
The new loader, codenamed Nimbda, is "bundled with a Chinese language greyware 'SMS Bomber' malware that is most likely illegally circulated through the Chinese-speaking web," according to a report by Israeli cybersecurity firm Check Point.
"Whoever crafted the Nim loader took special care to give it the same executable icon as the SMS Bomber that it drops and executes," the researchers said.
"Therefore the entire bundle works as a trojanized binary."
SMS Bomber, as the name implies, allows the user to enter a phone number (not their own) in order to flood the victim's device with messages, perhaps rendering it useless in a denial-of-service (DoS) attack.
The fact that the binary functions as both an SMS Bomber and a backdoor show that the assaults are not just directed at individuals who use the tool — a "somewhat unorthodox target" — but are also highly targeted.
Tropic Trooper, also known as Earth Centaur, KeyBoy, and Pirate Panda, has a history of attacking targets in Taiwan, Hong Kong, and the Philippines, especially in the government, healthcare, transportation, and high-tech industries.
Trend Micro last year referred to the Chinese-speaking collective as particularly clever and well-equipped, highlighting the group's capacity to develop its TTPs to stay under the radar and rely on a wide range of proprietary tools to compromise its targets.
Check Point's most recent attack chain begins with the tainted SMS Bomber tool, the Nimbda loader, which runs an embedded executable, in this case, the legal SMS bomber payload, while simultaneously injecting a second piece of shellcode into a notepad.exe process.
This initiates a three-tier infection process, which includes downloading a next-stage malware from an obfuscated IP address given in a markdown file ("EULA.md") published in an attacker-controlled GitHub or Gitee repository.
The retrieved binary is an improved version of the
Yahoyah trojan, is designed to gather data about local wireless networks in the victim machine's proximity and other system metadata and send it to a command-and-control (C2) server.
Yahoyah, for its role, serves as a conduit for the final-stage malware, which is downloaded from the C2 server in the form of an image. The steganographically encoded payload is a backdoor known as TClient, which the group has used in past attacks.
The researchers concluded, "The observed activity cluster paints a picture of a focused, determined actor with a clear goal in mind."
"Usually, when third-party benign (or benign-appearing) tools are hand-picked to be inserted into an infection chain, they are chosen to be the least conspicuous possible; the choice of an 'SMS Bomber' tool for this purpose is unsettling, and tells a whole story the moment one dares to extrapolate a motive and an intended victim."