• Latest
  • Trending
Chinese hackers target script kiddies with info-stealer trojan

Chinese hackers target script kiddies with info-stealer trojan

June 23, 2022
Bolt Opens Africa Hub in Nairobi, Kenya

Bolt Opens Africa Hub in Nairobi, Kenya

July 6, 2022
Google Translate adds 10 new African languages

Google Translate adds 10 new African languages

July 6, 2022
Ericsson invites participants to its ‘Together Apart Hackathon’ in Nigeria

Ericsson invites participants to its ‘Together Apart Hackathon’ in Nigeria

July 6, 2022
Ghana GIPC And OT Sign MoU with America’s led black-owned tech business

Ghana GIPC And OT Sign MoU with America’s led black-owned tech business

July 6, 2022
Nigeria, Mozambique approve SpaceX Internet Deployment

Nigeria, Mozambique approve SpaceX Internet Deployment

July 6, 2022
IXAfrica to Build Africa’s Largest Hyperscale-Ready Datacentre in Nairobi

IXAfrica to Build Africa’s Largest Hyperscale-Ready Datacentre in Nairobi

July 6, 2022
Uganda to Launch its First Low Earth Orbit Satellite in September

Uganda to Launch its First Low Earth Orbit Satellite in September

July 6, 2022
Africa Data Centres to Build second 20MW Data Centre in Cape Town

Africa Data Centres to Build second 20MW Data Centre in Cape Town

July 6, 2022
Kingston Announces FURY Beast RGB DDR5 Memory

Kingston Announces FURY Beast RGB DDR5 Memory

July 6, 2022
Akasa Launches the DuoDock MX Dual NVMe Dock

Akasa Launches the DuoDock MX Dual NVMe Dock

July 6, 2022
Areca ARC-1686 Entry-Level NVMe Hardware RAID Adapters

Areca ARC-1686 Entry-Level NVMe Hardware RAID Adapters

July 6, 2022
TeamGroup Xtreem DDR4-4000 CL15 2x 16 GB

TeamGroup Xtreem DDR4-4000 CL15 2x 16 GB

July 6, 2022
  • Consumer Watch
  • Kids Page
  • Directory
  • Events
  • Reviews
Wednesday, 6 July, 2022
  • Login
itechnewsonline.com
  • Home
  • Tech
  • Africa Tech
  • InfoSEC
  • Data Science
  • Data Storage
  • Business
  • Opinion
Subscription
Advertise
No Result
View All Result
itechnewsonline.com
No Result
View All Result

Chinese hackers target script kiddies with info-stealer trojan

by ITECHNEWS
June 23, 2022
in Infosec, Leading Stories
0 0
0
Chinese hackers target script kiddies with info-stealer trojan

Cybersecurity researchers have discovered a new campaign attributed to the Chinese “Tropic Trooper” hacking group, which employs a novel loader called Nimbda and a new variant of the Yahoyah trojan.

The trojan is bundled in a greyware tool named ‘SMS Bomber,’ which is used for denial of service (DoS) attacks against phones, flooding them with messages. Tools like this are commonly used by “beginner” threat actors who want to launch attacks against sites.

YOU MAY ALSO LIKE

Bolt Opens Africa Hub in Nairobi, Kenya

Google Translate adds 10 new African languages

According to a report by Check Point, the threat actors also demonstrate in-depth cryptographic knowledge, extending the AES specification in a custom implementation.

Attack chain

The infection begins with downloading a malicious version of SMS Bomber, which contains the tool’s binary and standard functionality. However, the download has been modified to include additional code that injects into a notepad.exe process.

The downloaded executable is actually the ‘Nimbda’ loader, which uses the SMS Bomber icon, and contains SMS Bomber as an embedded executable.

The SMS Bomber GUI tool
The SMS Bomber GUI tool (Check Point)

In the background, the loader injects shellcode into the notepad process to reach a GitHub repository, fetch an obfuscated executable, decode it, and then run it via process hollowing in ‘dllhost.exe.’

This payload is the new Yahoyah variant, which collects data about the host and sends it to the C2 server. The information collected by Yahoyah includes the following:

  • local wireless network SSIDs in the victim machine’s vicinity
  • computer name
  • MAC address
  • OS version
  • installed AV products
  • presence of WeChat and Tencent files

The final payload, dropped by the Yahoyah executable, is encoded in a JPG image using steganography. Check Point identifies it as ‘TClient,’ a backdoor Tropic Trooper used in past campaigns.

Complete infection chain
Complete infection chain (Check Point)

Custom AES implementation

The encryption used to wrap Yahoyah is a custom implementation of AES, which performs the inverted sequence of round operations twice; hence Check Point names it AEES.

Curious code snippet seen by Check Point
Odd AES code snippet
​​​​​​​(Check Point)

This doesn’t make encryption stronger but makes analysis of the sample very difficult, discouraging researchers who aren’t determined enough or making their work much more tedious.

“Getting an analyst to go through that entire rigmarole is a cruel and effective feat, especially for the meager cost on the malware author’s side,” comments Check Point.

“They just need the knowledge and self-confidence to mess with the crypto in a way that will not render it nonoperational.”

Peculiar targeting

Tropic Trooper is a sophisticated threat actor focused on espionage, previously seen running phishing campaigns against Russian officials.

Trojanizing’ SMS Bomb’ indicates precise, narrow targeting, so it’s likely a decision based on intelligence collected during preceding espionage.

While the exact targeting scope is unknown, this campaign demonstrates Tropic Trooper’s capability to create any decoy needed for their operations, cryptographic knowledge, and malware development activity.

Source: Bill Toulas
Via: bleepingcomputer
Tags: Chinese hackers target script kiddies with info-stealer trojan
ShareTweetShare
Plugin Install : Subscribe Push Notification need OneSignal plugin to be installed.

Search

No Result
View All Result

Recent News

Bolt Opens Africa Hub in Nairobi, Kenya

Bolt Opens Africa Hub in Nairobi, Kenya

July 6, 2022
Google Translate adds 10 new African languages

Google Translate adds 10 new African languages

July 6, 2022
Ericsson invites participants to its ‘Together Apart Hackathon’ in Nigeria

Ericsson invites participants to its ‘Together Apart Hackathon’ in Nigeria

July 6, 2022

About What We Do

itechnewsonline.com

We bring you the best Premium Tech News.

Recent News With Image

Bolt Opens Africa Hub in Nairobi, Kenya

Bolt Opens Africa Hub in Nairobi, Kenya

July 6, 2022
Google Translate adds 10 new African languages

Google Translate adds 10 new African languages

July 6, 2022

Recent News

  • Bolt Opens Africa Hub in Nairobi, Kenya July 6, 2022
  • Google Translate adds 10 new African languages July 6, 2022
  • Ericsson invites participants to its ‘Together Apart Hackathon’ in Nigeria July 6, 2022
  • Ghana GIPC And OT Sign MoU with America’s led black-owned tech business July 6, 2022
  • Home
  • InfoSec
  • Opinion
  • Africa Tech
  • Data Storage

© 2021 iTechNewsOnline.Com - Powered by BackUpDataSystems

No Result
View All Result
  • Home
  • Tech
  • Africa Tech
  • InfoSEC
  • Data Science
  • Data Storage
  • Business
  • Opinion

© 2021 iTechNewsOnline.Com - Powered by BackUpDataSystems

Welcome Back!

Login to your account below

Forgotten Password?

Retrieve your password

Please enter your username or email address to reset your password.

Log In
Go to mobile version