Chinese threat group Tropic Trooper has launched a new campaign leveraging the novel Nimbda malware
loader and a new Yahoyah trojan variant, BleepingComputer
Attackers commence the infection with the malicious version of the SMS Bomber greyware tool, which the Nimbda malware loader is bundled with, according to a Check Point report. Downloading the tool would eventually result in the retrieval of the novel Yahoyah variant that exfiltrates local wireless network SSIDs, computer names, OS versions, MAC addresses, installed antivirus software, and WeChat and Tencent files, which are then sent to the command-and-control server. The report also noted a final payload dubbed "TClient" being deployed by the Yahoyah executable.
Researchers discovered that custom AES has been leveraged for Yahoyah encryption, which has made sample analysis more complicated.
"Getting an analyst to go through that entire rigmarole is a cruel and effective feat, especially for the meager cost on the malware author's side. They just need the knowledge and self-confidence to mess with the crypto in a way that will not render it nonoperational," said Check Point.