A recent cybersecurity study has revealed a sophisticated attack campaign targeting Chinese-speaking populations. The campaign, discovered by Zscaler ThreatLabz, involves a compromised version of the SumatraPDF reader that deploys the AdaptixC2 Beacon post-exploitation agent. This operation is linked to the notorious hacking group, Tropic Trooper, also known as APT23, Earth Centaur, KeyBoy, and Pirate Panda, with a history of targeting Taiwan, Hong Kong, and the Philippines since 2011.
Exploiting Software to Gain Access
The intrusion begins with a ZIP archive containing military-themed documents, which are designed to bait victims into launching the tampered SumatraPDF application. Once initiated, this altered software runs a decoy PDF file while simultaneously downloading encrypted shellcode from a staging server. This shellcode is crucial for launching AdaptixC2 Beacon, a tool that facilitates further malicious activities.
The backdoored SumatraPDF operates alongside a loader named TOSHIS, a variant of the Xiangoop malware historically used by Tropic Trooper. This loader is responsible for deploying the multi-layered attack strategy, which not only distracts users with fake documents but also discreetly installs the AdaptixC2 Beacon in the background.
GitHub as a Command-and-Control Platform
In a unique twist, the attackers have employed GitHub as their command-and-control (C2) platform. This strategy involves the AdaptixC2 agent communicating with attacker-controlled servers to receive instructions for execution on compromised systems. The campaign escalates only when the targeted individuals are deemed valuable, prompting the use of Microsoft Visual Studio Code (VS Code) and its tunnel features for remote access.
In certain cases, the attackers have been observed installing additional trojanized applications on select systems. These applications serve to further obscure their operations, enhancing their ability to remain undetected.
Utilizing Known Backdoors and Tools
The staging server involved in these attacks has been identified as hosting familiar backdoors, including Cobalt Strike Beacon and a custom tool named EntryShell. These tools have been associated with Tropic Trooper’s previous campaigns. According to Zscaler, the threat actors have transitioned from using widely available tools like Cobalt Strike and Mythic Merlin to the AdaptixC2, indicating a shift in their operational tactics.
As cybersecurity experts continue to monitor and investigate this campaign, it underscores the need for heightened vigilance and robust defensive measures to protect against such advanced threats.
