A threat cluster with ties to a hacking group called Tropic Trooper has been spotted using a previously undocumented malware coded in Nim language to strike targets as part of a newly discovered campaign.
The novel loader, dubbed Nimbda, is “bundled with a Chinese language greyware ‘SMS Bomber’ tool that is most likely illegally distributed in the Chinese-speaking web,” Israeli cybersecurity company Check Point said in a report.
“Whoever crafted the Nim loader took special care to give it the same executable icon as the SMS Bomber that it drops and executes,” the researchers said. “Therefore the entire bundle works as a trojanized binary.”
SMS Bomber, as the name indicates, allows a user to input a phone number (not their own) so as to flood the victim’s device with messages and potentially render it unusable in what’s a denial-of-service (DoS) attack.
The fact that the binary doubles up as SMS Bomber and a backdoor suggests that the attacks are not just aimed at those who are users of the tool — a “rather unorthodox target” — but also highly targeted in nature.
Tropic Trooper, also known by the monikers Earth Centaur, KeyBoy, and Pirate Panda, has a track record of striking targets located in Taiwan, Hong Kong, and the Philippines, primarily focusing on government, healthcare, transportation, and high-tech industries.
Calling the Chinese-speaking collective “notably sophisticated and well-equipped,” Trend Micro last year pointed out the group’s ability to evolve their TTPs to stay under the radar and rely on a broad range of custom tools to compromise its targets.
The latest attack chain documented by Check Point begins with the tampered SMS Bomber tool, the Nimbda loader, which launches an embedded executable, in this case the legitimate SMS bomber payload, while also also injecting a separate piece of shellcode into a notepad.exe process.
This kicks off a three-tier infection process that entails downloading a next-stage binary from an obfuscated IP address specified in a markdown file (“EULA.md”) that’s hosted in an attacker-controlled GitHub or Gitee repository.
The retrieved binary is an upgraded version of a trojan named Yahoyah that’s designed to collect information about local wireless networks in the victim machine’s vicinity as well as other system metadata and exfiltrate the details back to a command-and-control (C2) server.
Yahoyah, for its part, also acts as a conduit to fetch the final-stage malware, which is downloaded in the form of an image from the C2 server. The steganographically-encoded payload is a backdoor known as TClient and has been deployed by the group in previous campaigns.
“The observed activity cluster paints a picture of a focused, determined actor with a clear goal in mind,” the researchers concluded.
“Usually, when third-party benign (or benign-appearing) tools are hand-picked to be inserted into an infection chain, they are chosen to be the least conspicuous possible; the choice of an ‘SMS Bomber’ tool for this purpose is unsettling, and tells a whole story the moment one dares to extrapolate a motive and an intended victim.”