A threat actor linked to China has been targeting military-related and satellite industries in Taiwan, Trend Micro reports.
Tracked as Tidrone, the threat actor has been observed mainly targeting drone manufacturers. The group has relied on enterprise resource planning (ERP) software and remote desktop access to deploy sophisticated malware to disable system protections and steal information.
As part of the attacks, the threat actor used two backdoors, dubbed Cxclnt/Clntend, both deployed using UltraVNC, a legitimate tool for remote control.
“During our investigation, we discovered the same ERP system was present in the environments of different victims, suggesting that the malware might be distributed through a supply chain attack,” Trend Micro notes.
After compromising the victims’ systems, the threat actor was observed performing lateral movement, deploying malicious tools, harvesting credentials, bypassing User Account Control (UAC), and disabling antivirus solutions.
Tidrone, Trend Micro explains, uses loaders to deploy its backdoors in memory, and has been observed updating the deployment technique between the two, by merging two payloads into one and modifying the injection chain to include the svchost process.
Analysis of the Cxclnt backdoor shows it can collect system and user information and send it to the command-and-control (C&C) server, receive payloads, delete its traces, and set persistence.
Depending on the configuration used during installation, Clntend, essentially a remote shell, is injected in the current process or in the svchost process, either directly or after creating a new service or a task.
“Based on our experience, threat actors prefer the C&C server domain with a misquoted name, like symantecsecuritycloud[.]com, microsoftsvc[.]com, and windowswns[.]com, whether it is for Clntend and Cxclnt. They all implement a similar naming convention to mislead the investigation for network infrastructure,” Trend Micro says.
Similarities with Chinese espionage-related activities suggest that Tidrone is a yet unidentified Chinese-speaking threat group engaging in targeted attacks, the cybersecurity firm explains.
“The focus on military-related industry chains, particularly in the manufacturers of drones, suggests an espionage motive, given the sensitive data these entities typically hold. This further reinforces the likelihood that Tidrone is engaged in espionage-related activities,” Trend Micro notes.
Related: US Lawmakers Want Investigation Into TP-Link Over Chinese Hacking Fears
Related: Chinese Hackers Deliver Malware via ISP-Level DNS Poisoning
Related: Chinese Cyberspy Group ‘Aoqin Dragon’ Targeting Southeast Asia, Australia Since 2013
Related: DHS Details Risks of Using Chinese Data Services, Equipment
