Critical Infrastructure Security , Cybercrime , Cybercrime as-a-service

Chinese APT Rebrands to Target Transportation Sector

Group Now Called Earth Centaur Tries to Access Flight Schedules
Chinese APT Rebrands to Target Transportation Sector

The Chinese state-sponsored threat group Tropic Trooper, or KeyBoy, has resurfaced as Earth Centaur and is targeting the transportation industry and government agencies associated with that sector, according to new research from cybersecurity firm Trend Micro.

See Also: Webinar | Everything You Can Do to Fight Social Engineering and Phishing

The researchers were able to link Earth Centaur to Tropic Trooper by identifying several shared techniques used and code reuse in the tools deployed post exploitation.

Researchers from Trend Micro says they have evidence that Earth Centaur is using red-teaming techniques to penetrate the security periphery of its targets and has attempted to access internal documents of targeted organizations, including transportation-related data such as flight schedules and financial plans, as well as personal information, including search histories.

In addition to changing its name, the researchers say, the group has added several new tools and techniques. One is the use of an open-source framework that allows customization of backdoors depending on the target's security settings.

The activity, which Trend Micro first observed in July 2020, has been ongoing ever since, according to the researchers, who say, "Currently, we have not discovered substantial damage to these victims as caused by the threat group. However, we believe that it will continue collecting internal information from the compromised victims and that it is simply waiting for an opportunity to use this data."

Modus Operandi

Trend Micro's researchers split the entire infection chain into four parts: entry point, first stage, second stage and post-exploitation.

Earth Centaur's modus operandi (Source: Trend Micro)

Entry Point

Earth Centaur can bypass network security by using common protocols to transfer data during its cyberespionage campaign, according to Trend Micro's researchers. The initial entry point is through vulnerable internet information services - or IIS - server and Exchange Server vulnerabilities, which include exploitation of the infamous ProxyLogon vulnerabilities, the researchers say.

First Stage

After initial entry, in the first stage of infiltration, a loader called Nerapack and an encrypted [.]bin payload file are loaded through the malicious web shell, the researchers say. Two different decryption algorithms - DES or AES - are used in the Nerapack loader, which then decrypts the payload, they say.

The researchers were able to successfully decrypt this payload and found it to be Quasar RAT. "After the payload is deployed, the actors can continue further malicious actions through Quasar RAT," the researchers say.

In 2018, the U.S. Cybersecurity and Infrastructure Security Agency said it was aware of Quasar RAT being exploited, especially by APT groups for cybercrime and cyberespionage campaigns, since it is a publicly available open-source project and thus allows broad customization options to adversaries.

Second Stage

Deeper analysis of the malware code suggests that the threat group developed multiple backdoors capable of communication via common network protocols, according to the researchers. Using common protocols helps the attackers bypass network security systems, they say.

"We found that the group tries to launch various backdoors per victim. Furthermore, it also tends to use existing frameworks to make customized backdoors. By using existing frameworks it builds new backdoor variants more efficiently."

Notable backdoors found by the researchers include ChiserClient, HTShell, Customized Lilith RAT, SmileSvr - which has two variants based on the protocol used for communication: ICMP and SSL - and Customized Gh0st RAT. Each backdoor specializes in a particular function ranging from file upload and download to checking environment and active session information.


In this stage, the threat actor, after establishing successful infiltration, uses several tools including SharpHound, FRPC, Chisel, and RClone, for network discovery, access to the intranet, and exfiltration in step-by-step manner.

Of these, the "FRP is a fast-reverse proxy used to expose a local server behind an NAT or a firewall to the internet, and Chisel is a fast TCP/UDP tunnel, which is mainly used for passing through firewalls," the researchers say. The RClone tool in particular raises concerns because, based on the researchers' previous study, it has frequently been used in ransomware attacks for data exfiltration.

Earth Centaur also used credential dumping and cleanup tools in the current campaign to cover its tracks on the victim's system.

Targeting the Transportation Industry

Last week, Information Security Media Group reported that an Iranian state-sponsored threat group targeting an Asian airline's system to access the airline's passenger reservations data (see: Iranian Threat Actor Uses Slack API to Target Asian Airline).

James McQuiggan, security awareness advocate at KnowBe4, says the reason for the uptick in targeting of the transportation and logistics industry may be that access credentials such as usernames and passwords, intellectual property, customer records or even employee records are always a lucrative model for cybercriminals. "The larger the group, the bigger the business model they will have to do one thing: make money," McQuiggan says.

"Various cybercriminal groups have expertise in multiple industries. They target them specifically because of the working knowledge they have or learned over the years. There is also the possibility they may have worked in that industry and know that specific industries have security weaknesses that can be exploited."

Alan Calder, CEO of GRC International Group, calls Earth Centaur "a sophisticated and well-resourced attacker," based on the TTPs used by the actor in the current campaign. He also says the transportation and logistics sector is a target for both general extortion and nation-state bad actors that are interested in disrupting other countries because the sector plays a critical role in global supply chains.

Calder tells ISMG that the sector has "undergone huge digitization shifts over the past couple of years" and has seen "increased deployment of operational technology systems," creating "more connections to customers, suppliers and the general ecosystem – and all of this operates with very immature cybersecurity processes."

Because cybersecurity in this sector is not heavily regulated, he says, organizations are under-skilled and under-aware of the threats.

McQuiggan tells ISMG that another reason behind the keen interest of APT groups in the transportation sector in the recent past could be the bipartisan infrastructure deal - the Infrastructure Investment and Jobs Act - passed by the U.S. Congress in November. The deal contains $39 billion to modernize transit, $89.9 billion for public transit, $25 billion for airports, $66 billion in rail funding, and $7.5 billion to build a national network of electric vehicle chargers.

"Knowing that an infrastructure bill [was] on the horizon, they could [have been] working to gain persistence or a foothold within the various organizations for future exploits. They will gain access and maintain access for some time, quietly stealing information," McQuiggan says.

About the Author

Mihir Bagwe

Mihir Bagwe

Principal Correspondent, Global News Desk, ISMG

Bagwe previously worked at CISO magazine, reporting the latest cybersecurity news and trends and interviewing cybersecurity subject matter experts.

Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing, you agree to our use of cookies.