Chinese Hackers Distributing SMS Bomber Tool with Malware Hidden Inside

A threat cluster with ties to a hacking group called Tropic
Trooper has been spotted using a previously undocumented
malware coded in Nim language to strike targets as part of a newly
discovered campaign.

The novel loader, dubbed Nimbda, is “bundled with a Chinese
language greyware ‘SMS Bomber’ tool that is most likely illegally
distributed in the Chinese-speaking web,” Israeli cybersecurity
company Check Point said^[1]
in a report.

“Whoever crafted the Nim loader took special care to give it the
same executable icon as the SMS Bomber that it drops and executes,”
the researchers said. “Therefore the entire bundle works as a
trojanized binary.”

SMS Bomber, as the name indicates, allows a user to input a
phone number (not their own) so as to flood the victim’s device
with messages and potentially render it unusable in what’s a
denial-of-service (DoS) attack.

The fact that the binary doubles up as SMS Bomber and a backdoor
suggests that the attacks are not just aimed at those who are users
of the tool — a “rather unorthodox target” — but also highly
targeted in nature.

Tropic Trooper^[2], also known by the
monikers Earth Centaur, KeyBoy, and Pirate Panda, has a track record^[3]
of striking targets located in Taiwan, Hong Kong, and the
Philippines, primarily focusing on government, healthcare,
transportation, and high-tech industries.

Calling the Chinese-speaking collective “notably sophisticated
and well-equipped,” Trend Micro last year pointed out the group’s
ability to evolve their TTPs to stay under the radar and rely on a
broad range of custom tools to compromise its targets.

The latest attack chain documented by Check Point begins with
the tampered SMS Bomber tool, the Nimbda loader, which launches an
embedded executable, in this case the legitimate SMS bomber
payload, while also also injecting a separate piece of shellcode
into a notepad.exe process.

This kicks off a three-tier infection process that entails
downloading a next-stage binary from an obfuscated IP address
specified in a markdown file (“EULA.md”) that’s hosted in an
attacker-controlled GitHub or Gitee repository.

The retrieved binary is an upgraded version of a trojan named
Yahoyah^[4]
that’s designed to collect information about local wireless
networks in the victim machine’s vicinity as well as other system
metadata and exfiltrate the details back to a command-and-control
(C2) server.

Yahoyah, for its part, also acts as a conduit to fetch the
final-stage malware, which is downloaded in the form of an image
from the C2 server. The steganographically-encoded payload is a
backdoor known as TClient and has been deployed by the group in
previous campaigns.

“The observed activity cluster paints a picture of a focused,
determined actor with a clear goal in mind,” the researchers
concluded.

“Usually, when third-party benign (or benign-appearing) tools
are hand-picked to be inserted into an infection chain, they are
chosen to be the least conspicuous possible; the choice of an ‘SMS
Bomber’ tool for this purpose is unsettling, and tells a whole
story the moment one dares to extrapolate a motive and an intended
victim.”