Tropic Trooper, a known APT group, has expanded its targeting to a government entity in the Middle East in 2024 by utilizing a new China Chopper web shell variant to compromise an Umbraco CMS server and deployed multiple malware sets, including post-exploitation tools.
The attackers employed DLL search-order hijacking to load the Crowdoor loader, a previously unreported backdoor variant, which highlights the group’s evolving tactics and strategic shift towards targeting critical governmental entities in the region.
A new variant of the China Chopper web shell was discovered embedded as a .NET module within a compromised Umbraco CMS server, which received commands through the Umbraco controller.
Security agents detected the web shell, and subsequent attempts by the attackers to deploy additional tools, including Fscan, Swor, and batch scripts, were likely intended for network scanning, lateral movement within the network, and defense evasion techniques.
Attackers compromised a server running Umbraco CMS by uploading a malicious module (App_Web_dentsd54.dll) that leveraged China Chopper web shell functionality, which decoded and executed obfuscated JavaScript, achieving remote control.
They exploited existing vulnerabilities (possibly CVE-2021-34473, CVE-2021-34523, CVE-2021-31207, or CVE-2023-26360) to drop this module and additional tools.
These tools included Fscan for vulnerability scanning, Swor for lateral movement and mimikatz deployment, Neo-reGeorg for SOCKS5 proxying, ByPassGodzilla for web shell obfuscation, and datast.dll/VERSION.dll for DLL search-order hijacking to load further malware.
The malware family has evolved over time with minor functional changes. The initial variants, dated March 2023, had a size of 81KB and exported functions like “Clear – Server.”
Later variants, released in July and October 2023, increased in size to 178KB and introduced new exported functions such as “InitCore.”
The most recent variants, detected in February 2024, reduced in size to 80KB and exported functions like “Ldf/rcd,” which highlights the attackers’ efforts to evade detection by continuously modifying the malware’s characteristics.
The threat actor Tropic Trooper has been using a DLL search-order hijacking technique to deliver malicious payloads since at least June 2022, which involves a legitimate executable loading a vulnerable DLL and then loads a malicious DLL.
It decrypts and executes the payload, which in this case is a Crowdoor shellcode. The actor has used this technique to deliver payloads in two separate attempts, with the second attempt using new variants of the malicious DLL.
Both variants were designed to load the same shellcode, but the second variant had more capabilities. The payloads ultimately aimed to inject Crowdoor into the colorcpl.exe process and establish a connection to a C2 server.
The investigation by Secure List revealed a targeted intrusion by Tropic Trooper, a threat actor linked to FamousSparrow, against a government entity in the Middle East.
The attackers used a new loader and post-exploitation tools, but their tactics were similar to previous campaigns, which focused on a content management platform publishing human rights studies on the Israel-Hamas conflict, suggesting a deliberate intent to target information related to this sensitive topic.