Chinese APT Rebrands to Target Transportation Sector –

Critical Infrastructure Security , Cybercrime , Cybercrime as-a-service

Group Now Called Earth Centaur Tries to Access Flight Schedules

Chinese APT Rebrands to Target Transportation Sector

The Chinese state-sponsored threat group Tropic Trooper, or KeyBoy, has resurfaced as Earth Centaur and is targeting the transportation industry and government agencies associated with that sector, according to new research from cybersecurity firm Trend Micro.

See Also: OnDemand Webinar | MSPs: Review 2021 Cybercrime Tactics, Prepare Your 2022 Cyber Defenses

The researchers were able to link Earth Centaur to Tropic Trooper by identifying several shared techniques used and code reuse in the tools deployed post exploitation.

Researchers from Trend Micro says they have evidence that Earth Centaur is using red-teaming techniques to penetrate the security periphery of its targets and has attempted to access internal documents of targeted organizations, including transportation-related data such as flight schedules and financial plans, as well as personal information, including search histories.

In addition to changing its name, the researchers say, the group has added several new tools and techniques. One is the use of an open-source framework that allows customization of backdoors depending on the target’s security settings.

The activity, which Trend Micro first observed in July 2020, has been ongoing ever since, according to the researchers, who say, “Currently, we have not discovered substantial damage to these victims as caused by the threat group. However, we believe that it will continue collecting internal information from the compromised victims and that it is simply waiting for an opportunity to use this data.”

Modus Operandi

Trend Micro’s researchers split the entire infection chain into four parts: entry point, first stage, second stage and post-exploitation.

mihir transport earth centaur mo ProxyEgg Chinese APT Rebrands to Target Transportation Sector -

Earth Centaur’s modus operandi (Source: Trend Micro)

Entry Point

Earth Centaur can bypass network security by using common protocols to transfer data during its cyberespionage campaign, according to Trend Micro’s researchers. The initial entry point is through vulnerable internet information services – or IIS – server and Exchange Server vulnerabilities, which include exploitation of the infamous ProxyLogon vulnerabilities, the researchers say.

First Stage

After initial entry, in the first stage of infiltration, a loader called Nerapack and an encrypted [.]bin payload file are loaded through the malicious web shell, the researchers say. Two different decryption algorithms – DES or AES – are used in the Nerapack loader, which then decrypts the payload, they say.

The researchers were able to successfully decrypt this payload and found it to be Quasar RAT. “After the payload is deployed, the actors can continue further malicious actions through Quasar RAT,” the researchers say.

In 2018, the U.S. Cybersecurity and Infrastructure Security Agency said it was aware of Quasar RAT being exploited, especially by APT groups for cybercrime and cyberespionage campaigns, since it is a publicly available open-source project and thus allows broad customization options to adversaries.

Second Stage

Deeper analysis of the malware code suggests that the threat group developed multiple backdoors capable of communication via common network protocols, according to the researchers. Using common protocols helps the attackers bypass network security systems, they say.

“We found that the group tries to launch various backdoors per victim. Furthermore, it also tends to use existing frameworks to make customized backdoors. By using existing frameworks it builds new backdoor variants more efficiently.”

Notable backdoors found by the researchers include ChiserClient, HTShell, Customized Lilith RAT, SmileSvr – which has two variants based on the protocol used for communication: ICMP and SSL – and Customized Gh0st RAT. Each backdoor specializes in a particular function ranging from file upload and download to checking environment and active session information.


In this stage, the threat actor, after establishing successful infiltration, uses several tools including SharpHound, FRPC, Chisel, and RClone, for network discovery, access to the intranet, and exfiltration in step-by-step manner.

Of these, the “FRP is a fast-reverse proxy used to expose a local server behind an NAT or a firewall to the internet, and Chisel is a fast TCP/UDP tunnel, which is mainly used for passing through firewalls,” the researchers say. The RClone tool in particular raises concerns because, based on the researchers’ previous study, it has frequently been used in ransomware attacks for data exfiltration.

Earth Centaur also used credential dumping and cleanup tools in the current campaign to cover its tracks on the victim’s system.

Targeting the Transportation Industry

Last week, Information Security Media Group reported that an Iranian state-sponsored threat group targeting an Asian airline’s system to access the airline’s passenger reservations data (see: Iranian Threat Actor Uses Slack API to Target Asian Airline).

James McQuiggan, security awareness advocate at KnowBe4, says the reason for the uptick in targeting of the transportation and logistics industry may be that access credentials such as usernames and passwords, intellectual property, customer records or even employee records are always a lucrative model for cybercriminals. “The larger the group, the bigger the business model they will have to do one thing: make money,” McQuiggan says.

“Various cybercriminal groups have expertise in multiple industries. They target them specifically because of the working knowledge they have or learned over the years. There is also the possibility they may have worked in that industry and know that specific industries have security weaknesses that can be exploited.”

Alan Calder, CEO of GRC International Group, calls Earth Centaur “a sophisticated and well-resourced attacker,” based on the TTPs used by the actor in the current campaign. He also says the transportation and logistics sector is a target for both general extortion and nation-state bad actors that are interested in disrupting other countries because the sector plays a critical role in global supply chains.

Calder tells ISMG that the sector has “undergone huge digitization shifts over the past couple of years” and has seen “increased deployment of operational technology systems,” creating “more connections to customers, suppliers and the general ecosystem – and all of this operates with very immature cybersecurity processes.”

Because cybersecurity in this sector is not heavily regulated, he says, organizations are under-skilled and under-aware of the threats.

McQuiggan tells ISMG that another reason behind the keen interest of APT groups in the transportation sector in the recent past could be the bipartisan infrastructure deal – the Infrastructure Investment and Jobs Act – passed by the U.S. Congress in November. The deal contains $39 billion to modernize transit, $89.9 billion for public transit, $25 billion for airports, $66 billion in rail funding, and $7.5 billion to build a national network of electric vehicle chargers.

“Knowing that an infrastructure bill [was] on the horizon, they could [have been] working to gain persistence or a foothold within the various organizations for future exploits. They will gain access and maintain access for some time, quietly stealing information,” McQuiggan says.

Source of this news:

Related posts:

Your Data-Driven Business Is Missing Something - A Proxy - Analytics Insight
You’ll be surprised to know the advantages a proxy can bring to your business.What’s the first thing that comes to your mind when you read Unblocking Netflix from another country? There are other use...
Which one is better for gaming? Residential Proxies or Datacentre Proxies? -
How frustrating is it that we can’t play a game because we don’t live in a specific zip code, state, or country? Why should that matter when all we want to do is enjoy the game? Or, what if you unkno...
God of War Could Be Coming To PC Soon, Reveals Leak - Gaming INTEL
You heard it right – Kratos and Atreus might finally be coming to PC if this new God of War leak is correct. 2018’s God of War was one of the best games of the last console generation but, because of...
Hiroshi Ishiguro: The Man Who Made a Copy of Himself - IEEE Spectrum
Photo: Makoto Ishida Hiroshi Ishiguro, a roboticist at Osaka University, in Japan, has, as you might expect, built many robots. But his latest aren’t run-of-the-mill automatons. Ishiguro’s recent...
Configuring network and firewall functions - The Daily Drink
ENTERPRISE The variety of components of Burp Suite Enterprise Version need associated with specific ports in order to exchange their views and the outside world. Obviously necessary to configu...
What do you think are Anonymous Proxies Used For? and even Chiang Rai Times
There are various types of website proxies, but the most common of other are anonymous proxies. Once simple relays are essential for the internet to function, anonymous proxies create a more clan...
Zac Gallen & Stephen Vogt: The League of Shadows Battery - AZ Snake Pit
The art and science of pitching is a complex endeavor in pursuit of a simple goal: see that guy, or gal, in the batter’s box? Get him, or her, out. There are myriad ways to try to achieve that goal, ...
ISPs Give 'Netflow Data' To Third Parties, Who Sell It While not User Awareness Or Consent - Techdir...
from the more-of-the-same dept Back encompassing 2007 or so there was a ruckus when broadband ISPs were found to be disposing of your "clickstream" data (which sites you visit the actual long yo...
Virus Concerns Complicate Capitol Hill's Return-to-Office Plans | Bloomberg Government - Bloomberg G...
Warnings that lawmakers should again don masks in response to the Covid-19 delta variant’s threat threw another monkey wrench into attempts to resume normal operations on Capitol Hill and raised fres...
Tamilblasters 2021 – Free Download Movies and Web Series - The Bulletin Time
Sister Wives: Christine Brown is Selling Her House - Maybe She is Leaving Kody Tamilblasters 2021 – Free Download Movies and Web Series Illegal piracy websites are increasing day by day. There are so...
Microsoft Buys Peer5 To Bolster Teams Video Streaming -
News Microsoft Buys Peer5 To Bolster Teams Video Streaming By Kurt Mackie08/11/2021 Microsoft announced on Tuesday the acquisition of Peer5 with the aim of improving "large-scale live video strea...
NAB 2022: EVS Unveils MediaCeption Signature 1 . 0 you should Sports Video Group
EVS, the main provider of live video footage technology, has announced your current launch of MediaCeption Signature 1 . 0, the company’s latest-generation end-to-end asset remedies solution for fas...
Inflation Nightmare Keeps Getting Worse: Producer Prices Break Out. Inflationary Mindset Rules - WOL...
Services PPI and Core PPI spike. By Wolf Richter for WOLF STREET. The Producer Price Index for Final Demand spiked by 1.4% in March from February, and by 11.2% from a year ago, both t...
Chinese APT group IronHusky exploits zero-day Windows Server privilege escalation - Reseller News
Credit: Dreamstime One of the vulnerabilities patched by Microsoft has been exploited by a Chinese cyber-espionage group since at the least August. The attack campaigns targeted IT companie...
The way you can Fix Discord Not Introduction? [Solved] / Fossbytes
Discord is an excellent app for golfers worldwide, but it does have various issues now and then. One of the most wide-spread issues users face is without question Discord not opening. Could diffe...
26 thoughts on “Linux Fu: Serial Untethered” - Hackaday
Serial ports used to be everywhere. In a way, they still are since many things that appear to plug in as a USB device actually look like a serial port. The problem is that today, the world runs on th...
How to stop your emails from tracking you -
Regulation exists to stop email tracking without your consent. In Europe, pixels are covered by the Privacy Electronic Communications Regulations 2003 (Pecr) and the EU’s General Data Protection Regu...
The top 6 enterprise VPNs to use in 2021 - TechRepublic
Enterprise VPNs are critical for connecting remote workers to company resources via reliable and secure links to foster communication and productivity. Read about six viable choices for businesses. ...

IP Rotating Proxy Onsale


First month free with coupon code FREE30