Middle Eastern government entities, especially those involved in human rights, have been targeted by the Chinese-speaking advanced persistent threat operation Tropic Trooper — also known as APT23, Pirate Panda, Earth Centaur, and KeyBoy — as part of an attack campaign that commenced in June 2023, reports The Hacker News.
As part of its latest attacks discovered in June, Tropic Tropper exploited several known Microsoft Exchange Server and Adobe ColdFusion vulnerabilities to distribute an updated China Chopper web shell on a server hosting the Umbraco open-source content management system, which later facilitated the deployment of lateral movement, network scanning, and security bypass tools before launching the Crowdoor malware, an analysis from Kaspersky revealed. Aside from enabling persistence and Cobalt Strike delivery, Crowdoor also allowed data exfiltration, reverse shell execution, and self-deletion. "The significance of this intrusion lies in the sighting of a Chinese-speaking actor targeting a content management platform that published studies on human rights in the Middle East, specifically focusing on the situation around the Israel-Hamas conflict. Our analysis of this intrusion revealed that this entire system was the sole target during the attack, indicating a deliberate focus on this specific content," said researcher Sherif Magdy.
