Taiwan and the Philippines under threat from Operation Tropic Trooper

Some governments and companies may be lagging behind when it comes to using modern methods to protect themselves against cyber attacks. Trend Micro says Taiwan and the Philippines are the latest targets of Operation Tropic Trooper, an ongoing campaign that has been using old infiltration tactics to steal state and industry secrets since 2012. 

From March to May 2015, the company's researchers noted that 62% of the Tropic Trooper-related malware infections targeted Taiwanese organisations while the remaining 38% zeroed in on Philippine entities such as government institutions. By crafting spear-phishing emails attached with seemingly interesting documents that hint at planned bombings, resumes, or government budgets, attached documents attacked two commonly exploited Windows vulnerabilities, CVE-2010-3333 and CVE-2012-0158, to run a Trojan.

The Trojan TROJ_YAHOYAH eventually downloads and decrypts a malicious image or decoy file. The downloaded images appear harmless and look similar to default wallpapers in Windows XP systems. However, encrypted into them via simple steganography* is BKDR_YAHAMAM, a malware that steals data from the system, kills processes and services, deletes files and directories, puts systems to sleep, and performs other backdoor capabilities.

Source: Trend Micro. The Operation Tropic Trooper campaign flow.

Unfortunately, old techniques can still work against networks that store highly sensitive information if the target organisations are not protected, says Trend Micro, pointing out that the infiltration could have been prevented or prepared for using proactive methods and technologies like vulnerability patching, security training, and anti-malware detection. 

As of the first half of this year, almost 17% of systems in Taiwan and 13% in the Philippines still run on Windows XP. Given that it takes a longer for larger agencies to upgrade their systems, there is a high probability that the targets of this campaign still use the legacy OS with all the vulnerabilities that come with it. There is also a possibility that the threat actors used this form of steganography because they either still use the outdated OS themselves or have in-depth knowledge of it.

Need context?

More information can be found in the Trend Micro blog post and research paper
Here's a recent TechTrade Asia blog post about Trend Micro reporting that Taiwan government bodies are targeted through the popular LINE chat app 

*Steganography hides messages in other information.