Chinese Hackers Are Now Using the Nimbda Loader and a New Form of the Yahoyah Trojan

Tropic Trooper is an independent terrorist organization that has conducted operations directed at specific targets in Taiwan, the Philippines, and Hong Kong. Since 2011, Tropic Trooper has been operating with the goal of targeting organizations in the public sector, the healthcare industry, the transportation sector, and the high technology sector.

What Happened?

Researchers in the field of cybersecurity have uncovered a new campaign that has been connected to the Chinese hacking outfit known as “Tropic Trooper.” This campaign makes use of a novel loader known as Nimbda as well as a new form of the Yahoyah trojan.

We have concluded that this activity is probably connected to Tropic Trooper, and TA428 by proxy, based on the following TTPs:

The loading process of the final payload, from the use of steganography to hide a payload DLL inside of a downloaded image, to the exported function name of the payload DLL, invoked by SN Yahoyah in order to run the logic inside — StartWork. The use of TClient as a final payload. The C&C check-in format shared almost verbatim by SN Yahoyah and USBFerry, a malware deployed by Tropic Trooper that targets air-gapped networks. The version naming and the victim’s data formatting in both samples are very similar, considering 4

Read More: