Crowdoor Backdoor is a Dangerous Threat Targeting Human Rights Studies
A cyber campaign orchestrated by the Tropic Trooper hacker group has been making waves, especially with its focus on government entities in the Middle East and Malaysia. Tropic Trooper, active since 2011 and known for targeting critical sectors such as healthcare and high-tech industries, has now set its sights on institutions involved in human rights studies. These attacks highlight the group's persistent threat, particularly with the deployment of the Crowdoor backdoor, a variant of the previously known SparrowDoor malware.
Kaspersky first detected this latest wave of attacks in June 2024, discovering the China Chopper web shell on compromised servers running the Umbraco CMS platform. The attackers exploited known vulnerabilities in web applications like Adobe ColdFusion and Microsoft Exchange Server to deliver this backdoor.
Table of Contents
What is Crowdoor Backdoor?
Crowdoor is a sophisticated malware implant used by Tropic Trooper to infiltrate targeted systems. First observed in June 2023, this backdoor functions primarily as a loader, dropping the infamous Cobalt Strike tool to maintain persistence. Crowdoor allows attackers to:
- Harvest sensitive information
- Launch a reverse shell to maintain control
- Erase traces of other malware files
- Terminate itself to evade detection
Tropic Trooper uses various techniques such as DLL side-loading, defense evasion, and lateral movement to maximize the malware's impact. Its presence in governmental entities focused on human rights studies signals a severe cybersecurity threat that demands immediate attention.
How to Remove Crowdoor Backdoor
If you suspect that your system has been infected by the Crowdoor backdoor, taking swift action is crucial to prevent further damage. Here’s a step-by-step guide on how to detect and remove the malware:
1. Isolate the Infected System
Immediately disconnect the compromised system from the network. This action prevents the malware from communicating with its command-and-control server or spreading to other systems within the network.
2. Run a Comprehensive Malware Scan
Utilize trusted anti-malware programs to scan the infected system. Some of the best tools for detecting and removing advanced threats like Crowdoor include:
- Malwarebytes
- ESET Internet Security
- Bitdefender Total Security
These tools should be updated regularly to detect newer malware variants.
3. Inspect for Suspicious DLL Files
Crowdoor often uses DLL side-loading techniques to evade detection. Investigate for any suspicious or unauthorized DLL files, especially in directories associated with legitimate software installations.
4. Check for Cobalt Strike Beacons
Since Crowdoor drops Cobalt Strike, it's essential to monitor the system for Cobalt Strike beacons. Security tools like Wireshark or Zeek can be useful in identifying beacon activity that communicates with the attacker’s infrastructure.
5. Remove Malicious Entries
Manually review registry entries, startup programs, and scheduled tasks that may have been altered to maintain persistence. Remove any suspicious entries to ensure Crowdoor does not reinfect the system upon reboot.
6. Apply Security Patches
The Crowdoor backdoor is typically delivered by exploiting known vulnerabilities in web applications like Adobe ColdFusion and Microsoft Exchange Server. Apply the latest security patches (such as CVE-2023-26360 and CVE-2021-34473) to prevent further exploitation.
7. Reinstall the Operating System
In cases where the infection is deeply rooted, a full OS reinstallation may be necessary. Be sure to back up important files (after they’ve been scanned for malware) and reinstall the system to ensure no traces of the Crowdoor backdoor remain.
Stay Protected
Crowdoor is part of a larger threat landscape where Chinese-speaking threat actors continue to exploit vulnerabilities in content management systems, targeting sensitive areas like human rights research. To protect your system, ensure regular updates to all software, enable firewalls, and deploy advanced threat detection solutions. By following these guidelines, you can minimize the risk of falling victim to sophisticated malware attacks like Crowdoor.
