Trooper — SOC Level 1 -Cyber Threat Intelligence — TryHackMe Challenge Walkthrough & Insight
Use Cyber Threat Intelligence knowledge and skills to identify a threat based on a report.
Room URL: https://tryhackme.com/r/room/trooper
Task 1 Who’s The Threat?
A multinational technology company has been the target of several cyber attacks in the past few months. The attackers have been successful in stealing sensitive intellectual property and causing disruptions to the company’s operations. A threat advisory report about similar attacks has been shared, and as a CTI analyst, your task is to identify the Tactics, Techniques, and Procedures (TTPs) being used by the Threat group and gather as much information as possible about their identity and motive. For this task, you will utilise the OpenCTI platform as well as the MITRE ATT&CK navigator, linked to the details below.
Assigned Tools
Start the virtual machine by clicking on the green “Start Machine” button on the upper right section of this task. Give it about 7 minutes to fully load and use the credentials below to access the platforms via the AttackBox or VPN to conduct your investigations.
Username info@tryhack.io
Password TryHackMe1234
OpenCTI IPhttp://MACHINE_IP:8080
ATT&CK Navigator IPhttp://MACHINE_IP:4200APT X Report
APT X’s USBferry Targets Air-Gapped Networks
APT X, a threat actor group that targets government, military, healthcare, transportation, and high-tech industries in Taiwan, the Philippines, and Hong Kong, has been active since 2011. The group was reportedly using spear-phishing emails with weaponized attachments to exploit known vulnerabilities.
Primarily motivated by information theft and espionage, the group has also been seen adopting different strategies such as fine-tuning tools with new behaviors and going mobile with surveillanceware.
We found that APT X’s latest activities center on targeting Taiwanese and the Philippine military’s physically isolated networks through a USBferry attack (the name derived from a sample found in a related research). We also observed targets among military/navy agencies, government institutions, military hospitals, and even a national bank. The group employs USBferry, a USB malware that performs different commands on specific targets, maintains stealth in environments, and steals critical data through USB storage. We started tracking this particular campaign in 2018, and our analysis shows that it uses a fake executable decoy and a USB trojan strategy to steal information.
Based on data from the Trend Micro™ Smart Protection Network™ security infrastructure, USBferry attacks have been active since 2014. We found the group was focused on stealing defense-, ocean-, and ship-related documents from target networks, which led us to believe
that APT X’s main purpose is to exfiltrate confidential information or intelligence.
Figure 1: A sample scenario of the USBferry attack
APT X is well aware that military or government organizations may have more robust security in their physically isolated environments (i.e., the use of biometrics or USB use in a quarantined machine before an air-gapped environment).
The group then targets potentially unsecured related organizations that could serve as jumping-off points for attacks. For instance, we observed APT X move from a military hospital to the military’s physically isolated network.
A USB malware called USBferry
We first encountered the malware from a PricewaterhouseCoopers report that mentioned a sample related to APT X but did not include a detailed analysis. We looked into it further and discovered many versions of it, including several program database (PDB) strings. For one thing, the USBferry malware already has at least three versions, with different variants and components, at the time of writing. Here are the noteworthy points we gathered during analysis:
● The first version has a small component of TROJ_YAHOYAH. The malware tries to check if the target machine has a USB
plug-in and copies the USBferry installer into the USB storage. The activities vary in target environments; some execute commands, source target files or folder lists, and copy files from physically isolated hosts to compromised hosts, among other things.
● The second version has the same capabilities as the first and combines components into one executable. This version also changes the malware location and its name to UF, an abbreviation for USBferry.
● The third version retains the previous
versions’ capabilities and improves its stealth in the target environment by residing in the rundll32.exe memory.
Figure 2: USBferry malware’s first version, where the EXE file is the USBferry malware and the DLL file is trojan TROJ_YAHOYAH
How USBferry targets air-gapped systems
APT X has changed the way it uses the abovementioned USBferry versions in attacks. The group achieves infection by employing the USB worm infection strategy and ferrying a malware installer via USB into an air-gapped host machine.
Figure 3. USBferry malware using USB worm infection strategy
The notable changes in the group’s latest attack chain that uses version UF1.0 20160226 (detected by Trend Micro as TROJ_USBLODR.ZAHB-A) are as follows:
1. The decoy file first drops a flash_en.inf DLL file, which is a USBferry loader, and tries to load the encrypted USBferry malware.
2. The encrypted USBferry malware is embedded in the loader resource section, and the loader drops it into the C:\Users\Public\Documents\Flash folder and names it flash.dat.
3. After the encrypted payload is loaded, the loader injects a malicious DLL into rundll32.exe. The USBferry malware also loads a C&C configuration file and flash_en.dat, which is also located in the C:\Users\Public\Documents\Flash.
4. The USBferry malware then tries to connect to the download site and uses a Windows command to collect/copy target host data.Answer the questions below
- What kind of phishing campaign does APT X use as part of their TTPs?
Review Report Documentation: From the document, you will find that APT X uses spear-phishing emails with weaponized attachments to exploit vulnerabilities. The specific reference to this tactic is usually highlighted when discussing the methods APT X uses for gaining access, and it could be mentioned under the “Tactics, Techniques, and Procedures (TTPs)” section of the report.
Answer: spear-phishing emails
2. What is the name of the malware used by APT X?
Review Report Documentation: From the document , the name USBferry is explicitly stated multiple times as the primary malware used by APT X to infect air-gapped systems via USB devices.
Answer: USBferry
3. What is the malware’s STIX ID?
Log Into OpenCTI:
The OpenCTI platform should be accessible at the URL http://MACHINE_IP:8080. Enter this into your browser.
Use the provided OpenCTI credentials to log in:
OpenCTI (Open Cyber Threat Intelligence) is an open-source platform designed to help organizations collect, analyze, and share cyber threat intelligence (CTI).
Username: info@tryhack.io
Password: TryHackMe1234Search for USBferry : Once you’re logged into OpenCTI, use the search bar to look for USBferry.
We found USBferry in OpenCTI under Malware. The malware is associated with Tropic Trooper (APT X) and is an information-stealing tool used for data exfiltration in their attacks.
Click on the USBferry entry in the malware section. This will open the detailed view for this entity.
There you can find the Standard STIX ID for USBferry.
STIX ID (Structured Threat Information eXpression Identifier) is a unique identifier assigned to specific pieces of cyber threat intelligence. It is part of the STIX (Structured Threat Information eXpression) format, which is an open standard for exchanging cyber threat information. The STIX ID serves as a globally unique reference that allows cybersecurity professionals, threat intelligence platforms, and automated systems to track, manage, and share information about specific cyber threats, malware, tactics, techniques, procedures (TTPs), and actors.
Standard STIX ID: This is the primary STIX ID for USBferry and is typically used for most references and integrations. It uniquely identifies USBferry within the threat intelligence system.
Other STIX IDs: The second STIX ID (malware — 75bba379–4ba1–467e-8c60-ec2b269ee984) might be another identifier assigned to the same malware, possibly from a different database or as part of an earlier classification or tracking. It could also be used for cross-referencing purposes between different intelligence sources or platforms.
Answer: malware — 5d0ea014–1ce9–5d5c-bcc7-f625a07907d0
4. With the use of a USB, what technique did APT X use for initial access?
Go to ATT&CK Navigator http://MACHINE_IP:4200
Go to Mitre Att&ck website https://attack.mitre.org/
Identify the USB-based Attack Technique: In the Initial Access section, look for a technique related to USB-based access.
or
In the MITRE ATT&CK Matrix, the Initial Access tactics often involve methods that threat actors use to gain entry into a network.
There select Tactics > Enterprise
locate the Initial Access tactic. This tactic covers techniques that adversaries use to initially compromise systems.
In the Initial Access section, search for the relevant techniques
From the report, it is clear that APT X uses USBferry to target air-gapped networks, which are isolated or physically separated networks that are not connected to the internet.
Use Ctrl+F to search for air-gapped.
The specific technique T1071.001 (Replication Through Removable Media) , which describes the process of adversaries using removable media, such as USB devices, to move onto systems, including those on air-gapped networks.
Answer: Replication Through Removable Media
5. What is the identity of APT X?
The OpenCTI platform search for USBferry Like we did before.
Extend the Report section
By referencing the TrendMicro Tropic Trooper May 2020 report, you can confidently confirm that APT X is identified as Tropic Trooper based on the malware (USBferry) they use and the tactics they employ. This report provides clear attribution to the Tropic Trooper identity.
Answer: Tropic Trooper
6. On OpenCTI, how many Attack Pattern techniques are associated with the APT?
In the OpenCTI search bar, type Tropic Trooper .
From the search results, select the Tropic Trooper entry (listed under the “Intrusion Set” entity).
This will open the detailed profile for Tropic Trooper.
Navigate to the Overview or Knowledge Tab: After selecting Tropic Trooper, you will be taken to the Overview section of the group.
On the left sidebar of the Tropic Trooper profile page, you can click on Knowledge (where you have the distribution of sources, relations, and associated entities).
39 Attack Patterns are related to Tropic Trooper. These attack patterns represent the different tactics and techniques that the group uses to carry out their cyber attacks.
Answer: 39
7. What is the name of the tool linked to the APT?
In the OpenCTI look for a section labeled Tools. This section lists any tools that are linked to the APT X group. Tools can include both malware used by the group as well as specific software or scripts they rely on for their attacks.
Tropic Trooper (APT X) uses the tool BITSAdmin.
This tool is commonly used in cyber attacks for automating tasks and transferring malicious files.
Answer: BITSAdmin
8. Load up the Navigator. What is the sub-technique used by the APT under Valid Accounts?
Open MITRE ATT&CK Navigator: Navigate to the “Valid Accounts” Technique:
Valid Accounts is a technique (T1071) that involves gaining access to systems using valid credentials, often stolen or harvested.
Sub-technique used: Local Accounts is the sub-technique selected here, which means APT X uses valid local accounts to authenticate and gain unauthorized access to systems.
Sub-technique under Valid Accounts used by APT X (Tropic Trooper) is Local Accounts.
This refers to exploiting local user accounts on a compromised system to escalate privileges or maintain access.
Answer: Local Accounts
9. Under what Tactics does the technique above fall? (Question Hint Order follows an attack kill chain)
The Valid Accounts technique (including the “Local Accounts” sub-technique) is versatile and can be employed across different stages of the attack kill chain. That’s why it can fall under Initial Access, Persistence, Privilege Escalation, and Defense Evasion tactics, depending on the stage of the attack.
Initial Access: Attackers may gain entry using weak or stolen local accounts.
Persistence: After gaining access, they use valid accounts to maintain continuous access.
Privilege Escalation: Attackers may escalate their privileges using valid local accounts with higher privileges.
Defense Evasion: Using local accounts helps adversaries blend in with legitimate activity, making detection harder.
Answer: Initial Access, Persistence, Defense Evasion and Privilege Escalation
10. What technique is the group known for using under the tactic Collection?
In the MITRE ATT&CK Navigator, Tropic Trooper (APT X) is known to use the Automated Collection technique under the Collection tactic.
- Automated Collection involves using tools or scripts to automatically gather data from targeted systems without manual intervention.
- This technique enables the adversary to efficiently exfiltrate large volumes of data or sensitive information from compromised systems, making it a common choice for advanced persistent threat groups like APT X.
The Automated Collection technique is particularly valuable for adversaries like Tropic Trooper, as it allows them to quickly and stealthily collect data, which is typically staged for later exfiltration.
Answer: Automated Collection
Summary
The Trooper — SOC Level 1 challenge on TryHackMe focuses on identifying the tactics, techniques, and procedures (TTPs) used by a cyber threat group called APT X, also known as Tropic Trooper. This group has been actively targeting various organizations, including government, military, and high-tech industries, with a focus on stealing sensitive information.
Key Tasks and Learning:
- Identifying the Threat: You are tasked with identifying APT X by analyzing a report describing their attack methods. The report details how they used USBferry, a USB-based malware, to target air-gapped networks (isolated systems not connected to the internet). The group typically uses spear-phishing emails to gain initial access.
- Using Cyber Threat Intelligence (CTI) Tools: The challenge requires using OpenCTI and MITRE ATT&CK Navigator platforms. These tools help you analyze malware, track attack patterns, and map out the techniques used by APT X. You search for specific indicators, like USBferry, and gather information about the group’s activities and motivations.
- Understanding Tactics and Techniques: In the MITRE ATT&CK framework, you learn that APT X uses Replication Through Removable Media to move malware onto isolated systems. The malware allows them to steal data without being detected by air-gapped network defenses.
Other techniques, like Automated Collection and the use of Valid Accounts, are also key to their attack strategy.
4. Finding Malware’s STIX ID: You locate the STIX ID of USBferry in OpenCTI, which helps track this malware across various intelligence platforms.
5. Using the MITRE ATT&CK Navigator: You map out how APT X utilizes USB-based attacks, spear-phishing, and data exfiltration strategies under different ATT&CK tactics.
How to Defend Against APT X (Tropic Trooper) and Similar Cyber Threats:
When it comes to defending against advanced cyber threats like APT X (Tropic Trooper), the focus should be on creating multiple layers of defense that can prevent, detect, and respond to attacks. These groups use sophisticated techniques such as USB malware and spear-phishing to bypass security systems. Here’s how you can protect your organization from such threats:
1. Preventing Initial Access: Spear-Phishing Protection: Spear-phishing is when attackers send targeted emails with malicious attachments to trick users into opening them. To prevent this, train employees to recognize suspicious emails, avoid clicking on unknown links, and never open unexpected attachments.
Use email filtering systems that automatically detect and block phishing attempts.
USB Device Control: Since APT X uses USBferry to infect systems via USB devices, it’s important to restrict USB usage. You can disable USB ports on computers that don’t need them or enforce strict policies on USB storage devices.
Endpoint Protection software can also help block unauthorized devices from connecting to the network.
2. Improving Network Security:
Air-Gapped Network Protection: Air-gapped networks, which are isolated from the internet, can still be vulnerable if attackers gain access via a compromised USB. Ensure these networks have strong physical security and restrict access to only trusted personnel.
Regularly audit and monitor USB devices used within air-gapped networks and implement strict access controls to prevent unauthorized devices from connecting.
Use of Strong Passwords and Multi-Factor Authentication (MFA):
APT X uses valid accounts to gain access to systems. Enforce strong password policies and require multi-factor authentication (MFA) to ensure that even if attackers steal credentials, they cannot access systems without a second form of verification.
3. Detecting Suspicious Activities:
Network Monitoring: Use Intrusion Detection Systems (IDS) and Intrusion Prevention Systems (IPS) to monitor for unusual activity on the network. These systems can help detect data exfiltration or suspicious communication with external servers.
Endpoint Detection and Response (EDR): Install EDR tools that monitor and respond to suspicious behaviors on endpoints (computers, servers, etc.). This can help detect malware like USBferry that attempts to run on compromised systems.
User Behavior Analytics (UBA): User Behavior Analytics tools can help detect when a user is acting outside of their normal behavior, such as accessing sensitive data without proper clearance. This can help identify potential breaches before they escalate.
4. Responding to Attacks:
Incident Response Plan: Have a well-defined incident response plan in place that includes steps for detecting, containing, and mitigating attacks. This plan should include processes for dealing with malware infections, such as isolating infected machines and analyzing compromised systems to understand the attack method.
Threat Intelligence Sharing: Stay connected with other organizations and share information about threats. Use platforms like OpenCTI to stay informed about the latest threats and vulnerabilities being used by cybercriminal groups like APT X. This allows you to proactively update your defenses.
Regular System Patching: Ensure that all software, operating systems, and firmware are regularly updated with the latest patches. Attackers often exploit known vulnerabilities, so keeping your systems up-to-date is one of the best defenses.
5. Ongoing Education and Awareness:
Employee Training: The human factor is often the weakest link in security. Conduct regular training to raise awareness about social engineering tactics (such as phishing), the risks of using USB devices, and how to recognize suspicious activities.
Test employees with simulated phishing attacks to ensure they can recognize threats.
Reflection and Thought: This challenge is an excellent introduction to understanding the world of Cyber Threat Intelligence and SOC analysis. By using real-world tools and frameworks like MITRE ATT&CK and OpenCTI, it shows how cybersecurity professionals identify and track malicious groups. For anyone just starting out in this field, the ability to break down and analyze the TTPs of threat actors is a critical skill.
The most valuable takeaway is the importance of using well-established frameworks and intelligence tools to analyze threats. As you progress in your career, these skills will become crucial when protecting networks and organizations from sophisticated adversaries. Understanding the attackers’ methods is half the battle — the other half is building strong defenses to mitigate their impact.
Final Thought
Cybersecurity isn’t just about blocking attacks, it’s about understanding the mindset of attackers. Once you understand how they think and operate, you can build smarter defenses.
Keep learning and practicing, and you’ll be prepared to tackle real-world cyber threats!
