TryHackMe: Trooper Walkthrough (SOC Level 1)

January 21, 2025 Jasper
Welcome to this walkthrough of the Trooper Room on TryHackMe.

If you have been going through the SOC Level 1 Path like me, we have just covered a ton of Threat Intelligence theory and tools, followed by the fun Friday Overtime challenge. Now it is time for another challenge in which we  have to use our Cyber Threat Intelligence knowledge and skills to identify a threat based on a report. In this room we will be using a threat advisory report, the MITRE ATT&CK navigator and we also finally get to use the OpenCTI platform.

Trooper Room Banner

Trooper Room Banner

Room URL: https://tryhackme.com/r/room/trooper

This room is part of the SOC Level 1 Path.

I am making these walkthroughs to keep myself motivated to learn cyber security, and ensure that I remember the knowledge gained by these challenges on HTB and THM.
Join me on learning cyber security. I will try and explain concepts as I go, to differentiate myself from other walkthroughs.

Now, let’s move on!


Task 1: Who’s The Threat?

We will start by reading the introduction on the room page:

A multinational technology company has been the target of several cyber attacks in the past few months. The attackers have been successful in stealing sensitive intellectual property and causing disruptions to the company’s operations. A threat advisory report about similar attacks has been shared, and as a CTI analyst, your task is to identify the Tactics, Techniques, and Procedures (TTPs) being used by the Threat group and gather as much information as possible about their identity and motive. For this task, you will utilise the OpenCTI platform as well as the MITRE ATT&CK navigator, linked to the details below. 

Start the virtual machine by clicking on the green “Start Machine” button on the upper right section of this task. Give it about 7 minutes to fully load and use the credentials below to access the platforms via the AttackBox or VPN to conduct your investigations.

Let’s get started! Start up the machine as soon as possible, as it will take some time to start up. While we wait have a look at the report.

Threat advisory report

https://assets.tryhackme.com/additional/trooper-cti/APT_X_USBFerry.pdf

Here is a summary of the report, but I recommend you to read the whole report once or twice:

APT X is a threat actor group that has been active since 2011, targeting government, military, healthcare, transportation, and high-tech sectors in Taiwan, the Philippines, and Hong Kong. Motivated by information theft and espionage, the group has evolved its tactics, using spear-phishing emails, weaponized attachments, and mobile surveillanceware. Recently, APT X has focused on targeting air-gapped networks, particularly within the Taiwanese and Philippine military, through a USB malware known as USBferry. This malware is used to stealthily exfiltrate critical data from isolated networks.

The USBferry malware has multiple versions, and it operates by using a USB worm infection strategy to ferry malware into air-gapped systems. The malware starts by dropping a decoy file that loads the USBferry installer onto the infected machine via USB. The malware then installs itself, injects a malicious DLL into rundll32.exe, and attempts to connect to a command-and-control server to exfiltrate data. The group primarily targets defense and ship-related documents, suggesting that their main goal is to steal sensitive intelligence.

APT X has also been seen exploiting insecure related organizations as entry points, moving from military hospitals to isolated military networks. USBferry attacks have been active since 2014, with the group continually adapting its strategies to maintain stealth and evade detection.

We should be ready know to start answering some questions.

Questions

What kind of phishing campaign does APT X use as part of their TTPs?

This is found in one of the first line of the report:

APT X, a threat actor group that targets government, military, healthcare, transportation, and high-tech industries in Taiwan, the Philippines, and Hong Kong, has been active since 2011. The group was reportedly using spear-phishing emails with weaponized attachments to exploit known vulnerabilities.

So the answer is spear-phishing, which is a type of phishing campaign that targets a specific person or group and often will include information known to be of interest to the target, such as current events or financial documents.

Answer: spear-phishing emails

What is the name of the malware used by APT X?

Another easy one. If you read on you can read about APT X’s latest malware attack:

We found that APT X’s latest activities center on targeting Taiwanese and the Philippine military’s physically isolated networks through a USBferry attack (the name derived from a sample found in a related research). We also observed targets among military/navy agencies, government institutions, military hospitals, and even a national bank. The group employs USBferry, a USB malware that performs different commands on specific targets, maintains stealth in environments, and steals critical data through USB storage.

So the answer is USBferry.

Answer:USBferry

What is the malware’s STIX ID?

I have to be honest, I forgot what STIX was. But it was VERY shortly covered in Task 4 of the Intro to Cyber Threat Intel room for which I also have a walkthrough: TryHackMe: Intro to Cyber Threat Intel Walkthrough (SOC Level 1)

To remind you all:

STIX (Structured Threat Information Expression) is used in Cyber Threat Intelligence (CTI) to standardize the representation, sharing, and analysis of threat data across organizations. It enables interoperability and improves the efficiency of detecting, preventing, and responding to cyber threats. STIX allows organizations to quickly share detailed, actionable threat information, like malware indicators or attack patterns, in a common format. Think of it like a common language or protocol for sharing detailed information about cyber threats. It ensures that the data—such as attack techniques, indicators, or impacted systems—can be easily understood and acted upon by different tools, teams, and organizations, regardless of the specific tools they use.

Anyway, visit the OpenCTI Dashboard at http://<target ip>:8080. You will be met by a dashboard, and let’s try searching for USBferry through the topright search field:

OpenCTI Dashboard

OpenCTI Dashboard

We get three results:

USBferry results

USBferry results

Any of the entries will give the answer but go ahead and select the bottom one (entity).

USBferry STIX ID

USBferry STIX ID

In the top left corner you will see the STIX ID.

Answer:malware–5d0ea014-1ce9-5d5c-bcc7-f625a07907d0

With the use of a USB, what technique did APT X use for initial access?

There are at least two different ways to find the answer.

On the page we just found you can see the external references section:

OpenCTI External References

OpenCTI External References

This link brings us to the ATT&CK page on the USBferry software:
https://attack.mitre.org/software/S0452/

Here you can see all techniques in which the software is used. One of the techniques is Replication Through Removable Media, which sounds like the right answer!

You can read more on the technique here:

Alternatively, you can look at the Knowledge tab of the OpenCTI page on USBferry. Here we can see the ATT&CK Matrix:

OpenCTI ATT&CK Matrix

OpenCTI ATT&CK Matrix

Here the correct technique is highlighted under Interal-movement.

Replication through removable media

Replication through removable media

Answer:Replication Through Removable Media

What is the identity of APT X?

This is an easy one, as we already have come across the answer. On a previous screenshot, on the USBFERRY malware detail page, you can see that the identity of APT X is Tropic Trooper, a unaffiliated threat group that has led target campaigns against targets in Taiwan, the Philippines, and Hong Kong.

USBferry STIX ID

Answer: Tropic Trooper

On OpenCTI, how many Attack Pattern techniques are associated with the APT?

Note: APT is basicly the same as an Intrusion Set on OpenCTI.

Search for Tropic Trooper on OpenCTI and you will get to the following page:

http://<ip>:8080/dashboard/threats/intrusion_sets/d339751b-accf-4967-95c8-9e6bcf5b7315

Tropic Trooper Intrusion Set

Tropic Trooper Intrusion Set

Now, go to the Knowledge tab and you will see the relationships the Intrusion Set (APT) has to other entities, among which 39 Attack Patterns.

Tropic Trooper Relations Distribution

Tropic Trooper Relations Distribution

Answer: 39

What is the name of the tool linked to the APT?

Continue where we were. Just click on Tools on the side menu. Here it will list one tool: BITSAdmin.

Tropic Trooper Tools

Tropic Trooper Tools: BITSAdmin

Answer: BITSAdmin

Load up the Navigator. What is the sub-technique used by the APT under Valid Accounts?

Now open up the ATT&CK Navigator, likely at the same IP address and OpenCTI, but running on a different port.

Here we are at the familiar ATT&CK Matrix:

ATT&CK Matrix

ATT&CK Matrix

Now, the question refers to Valid Accounts. I had trouble finding it as it was not highlighted in red. I have highlighted it with green on the above screenshot. Now, if you press on the right side of the Valid Accounts technique the sub-techniques become visible.

Valid Accounts subtechniques

Valid Accounts sub-techniques

The answer is local accounts.

Answer: local accounts

Under what Tactics does the technique above fall?

This question sounds a bit tricky, but it is actually not to bad. There are four different columns (tactics) in which the Valid Accounts technique i used. We just have to write the different tactics (column names) in which Valid Accounts exists. We do this in order left to right. The right order is Initial Access, Persistence, Defense Evasion and Privilege Escalation

Answer:Initial Access, Persistence, Defense Evasion and Privilege Escalation

What technique is the group known for using under the tactic Collection?

Another quick question. Find the Collection column (tactic) and find the highlighted technique.

Technique used under Collection Tactic

Technique used under Collection Tactic

Answer: Automated Collection


Congratulations on completing Trooper!!!

Congratulations on completing Trooper

Congratulations on completing Trooper

Congratulations on finishing this walkthrough of the amazing TryHackMe: This is probably my favorite room so far in the SOC Level 1 Path, and I really liked mastering the tools that are the ATT&CK matrix and the great OpenCTI Dashboard. If you are following along on the SOC Level 1 Path, it is time to move on to the Network Security and Traffic Analysis section!

I hope you enjoyed this walkthrough. Come back soon for more walkthroughs of rooms on TryHackMe and HackTheBox, and other Cybersecurity discussions.


Like my articles?

You are welcome to give my article a clap or two 🙂
I would be even more grateful if you support me by buying me a cup of coffee:

Buy me a coffee

Buy me a coffee

I learned a lot through HackTheBox’s Academy. If you want to sign up, you can get extra cubes, and support me in the process, if you use the following link:

https://referral.hackthebox.com/mzwwXlg

, , , , , , , , ,

Leave a Reply

Your email address will not be published. Required fields are marked *