Pirates of The Nang Hai: Follow the Artifacts of Tropic Trooper, No One Knows - Yusuke Niwa, Suguru Ishimaru

從這裡開始
Tropic Trooper
keyboy
EntryShell->Entry+Shell

• 即時口譯
• https://www.youtube.com/live/xy2k0M-vJ3w
• Tropic Trooper不常見的手法
  • case1:VSCode as a RAT Attack
    • create a super timeline for compromised host
    • explore the PowerShell logs to verify the links
      (the attacker used the VSCode terminal to run PowerShell)
  • case2:EvilTwin Attack Overview
    • 1.Look for the site
    • 2.set up a rogue Wi-Fi
    • 3.victim to connect a rogue Wi-Fi
    • 4.steal credential
    • 5.set up a pc unber the Wi-Fi
  • case3:Scanning Domestic Electronic Seal System
  • case4:CobaltStrike Beacon was detected
    • Datetime, Size, Hase are useful
      • filesize is too small
      • hash values are the same
  • summary
    • Tropic Trooper很活躍
    • Sharp insight and strong forensic/reversing skillls are essential

EntryShell: a varity of keyboy

update
1.ascii2bin + AES 128 ECB
2.malware config

https://blog-en.itochuci.co.jp/entry/2023/10/06/173200

Xiangoop

• Xiang (mu) + goop (date.dll)
• serve as loader/downloader of EntryShell

Cases

1.vscode as RAT attack

create super timeline for compromised host

attacker find wifi artifact through vscode
netsh wlan

2.EvilTwin attack

look for site

set up rogue wifi

victim connect

steal cred

set up a attack pc

3. domestic elect device
4. cobaltStrike Beacon wsa detected.

Case 4 Datatime,Size, Hash are useful

有道辭典的更新程式惡意內容

js frile from c2 server execute via Wscript

下載偽裝為McAfeeeManager.exe的惡意程式與cab檔

embed

Cobaltstrike Beacon

unconcerned boudary between cyber and physical