Tropic Trooper | APT Profile

Description

[Tropic Trooper](https://attack.mitre.org/groups/G0081) is an unaffiliated threat group that has led targeted campaigns against targets in Taiwan, the Philippines, and Hong Kong. [Tropic Trooper](https://attack.mitre.org/groups/G0081) focuses on targeting government, healthcare, transportation, and high-tech industries and has been active since 2011.(Citation: TrendMicro Tropic Trooper Mar 2018)(Citation: Unit 42 Tropic Trooper Nov 2016)(Citation: TrendMicro Tropic Trooper May 2020)

Techniques Used (TTPs)

T1543.003 — Windows Service (persistence, privilege-escalation)
T1070.004 — File Deletion (defense-evasion)
T1566.001 — Spearphishing Attachment (initial-access)
T1105 — Ingress Tool Transfer (command-and-control)
T1057 — Process Discovery (discovery)
T1204.002 — Malicious File (execution)
T1573 — Encrypted Channel (command-and-control)
T1071.001 — Web Protocols (command-and-control)
T1564.001 — Hidden Files and Directories (defense-evasion)
T1221 — Template Injection (defense-evasion)
T1033 — System Owner/User Discovery (discovery)
T1046 — Network Service Discovery (discovery)
T1016 — System Network Configuration Discovery (discovery)
T1052.001 — Exfiltration over USB (exfiltration)
T1547.001 — Registry Run Keys / Startup Folder (persistence, privilege-escalation)
T1505.003 — Web Shell (persistence)
T1573.002 — Asymmetric Cryptography (command-and-control)
T1059.003 — Windows Command Shell (execution)
T1106 — Native API (execution)
T1574.001 — DLL (persistence, privilege-escalation, defense-evasion)
T1083 — File and Directory Discovery (discovery)
T1027.013 — Encrypted/Encoded File (defense-evasion)
T1036.005 — Match Legitimate Resource Name or Location (defense-evasion)
T1132.001 — Standard Encoding (command-and-control)
T1078.003 — Local Accounts (defense-evasion, persistence, privilege-escalation, initial-access)
T1547.004 — Winlogon Helper DLL (persistence, privilege-escalation)
T1203 — Exploitation for Client Execution (execution)
T1071.004 — DNS (command-and-control)
T1119 — Automated Collection (collection)
T1055.001 — Dynamic-link Library Injection (defense-evasion, privilege-escalation)
T1020 — Automated Exfiltration (exfiltration)
T1135 — Network Share Discovery (discovery)
T1082 — System Information Discovery (discovery)
T1518.001 — Security Software Discovery (discovery)
T1140 — Deobfuscate/Decode Files or Information (defense-evasion)
T1049 — System Network Connections Discovery (discovery)
T1027.003 — Steganography (defense-evasion)
T1518 — Software Discovery (discovery)
T1091 — Replication Through Removable Media (lateral-movement, initial-access)

Total TTPs: 39

Malware & Tools

Malware: KeyBoy, PoisonIvy, ShadowPad, USBferry, YAHOYAH

Tools: BITSAdmin

← Return to Home ← Back to APT Search