CYBERSEC 2021 uses cookies to provide you with the best user experience possible. By continuing to use this site, you agree to the terms in our Privacy Policy. I Agree

May 4-6 at Taipei Nangang Exhibition Center, Hall 2

Taiwan's Cybersecurity Researchers
701 Vulnerability Research Lab
  • May 6th (Thu)
  • 14:45 - 15:15
  • 7F 701H

Tropic Trooper's Back: USBferry Attack Targets Air-gapped Environments

Tropic Trooper also named Keyboy, a threat actor group that targets government, military, healthcare, transportation, and high-tech industries in Taiwan, the Philippines, and Hong Kong, has been active since 2011. Primarily motivated by information theft and espionage, the group has also been seen adopting different strategies such as fine-tuning tools with new behaviors and going mobile with surveillance ware.


We found that Tropic Trooper’s latest activities center on targeting Taiwanese and the Philippine military’s physically isolated networks through a USBferry attack (the name derived from a sample found in a related research). We also observed targets among military/navy agencies, government institutions, military hospitals, and even a national bank. The group employs USBferry, a USB malware that performs different commands on specific targets, maintains stealth in environments, and steals critical data through USB storage. We started tracking this particular campaign in 2018, and our analysis shows that it uses a fake executable decoy and a USB trojan strategy to steal information


Tropic Trooper is well aware that military or government organizations may have more robust security in their physically isolated environments (i.e., the use of biometrics or USB use in a quarantined machine before an air-gapped environment). The group then targets potentially unsecured related organizations that could serve as jumping-off points for attacks.


This talk provides an overview of the USB malware called USBferry and its capabilities, as well as the other tools used to infiltrate physically isolated environments. In addition, we will talk about their notable tactics in their attack scenario.

APT Threat IntelligenceCritical Infrastructure Protection
Joey chen

Joey chen

Sr. threat researcher, Trend Micro

Joey Chen is working as a Cyber Threat Researcher for Trend Micro Incorporated in Taiwan. His major areas of research include incident response, APT investigation, malware analysis and cryptography analysis. He not only has been a speaker at DeepIntel, CODEBLUE, HITCON and CYBERSEC conference but also got 2018 Training Ambassador & Trainer price in TrendMicro. Now he is focusing on the security issues of target attack emerge threat and IOT systems.