Israeli cybersecurity company Check point said in a report that they had found a threat cluster, tied to the hacking group Tropic Trooper, which had been spotted using a previously undocumented malware coded in Nim language.
Tropic Trooper, also known by the monikers Earth Centaur, KeyBoy, and Pirate Panda, has a track record of striking targets located in Taiwan, Hong Kong, and the Philippines, primarily focusing on government, healthcare, transportation, and high-tech industries.
The novel malware, dubbed Nimbda, is “bundled with a Chinese language greyware ‘SMS Bomber’ tool that is most likely illegally distributed in the Chinese-speaking web” and is being used to strike targets as part of a newly discovered campaign.
“Whoever crafted the Nim loader took special care to give it the same executable icon as the SMS Bomber that it drops and executes,” the researchers said. “Therefore the entire bundle works as a trojanized binary.”
An SMS Bomber is a technique which, as the name mentions, renders a phone number unusable via a barrage of denial-of-service (Ddos).
The latest attack began with the tampered SMS Bomber tool which launched an embedded executable while also injecting a separate piece of shell-code in a notepad.exe process.
This initial attack kicks of an infection process where the infected program downloads a next-stage binary from an obfuscated IP address specified in a markdown file that’s hosted in an attacker-controlled GitHub or Gitee repository.
The retrieved binary is an upgraded version of a trojan named Yahoyah that’s designed to collect information about local wireless networks in the victim machine’s vicinity as well as other system metadata and exfiltrate the details back to a command-and-control (C2) server.
“The observed activity cluster paints a picture of a focused, determined actor with a clear goal in mind,” the researchers concluded.