Pierluigi Paganini September 09, 2024
Trend Micro spotted an allegedly China-linked threat actor, tracked TIDRONE, targeting drone manufacturers in Taiwan. The group, which was previously undocumented, uses enterprise resource planning (ERP) software and remote desktops to deploy advanced malware, including CXCLNT and CLNTEND. CXCLNT allows for file upload/download, erasing traces, gathering victim information, and downloading executable files. Since April, the group used CLNTEND, a previously undetected remote access tool (RAT), which supports a wider range of network protocols for communication, further enhancing their capabilities.
Both CXCLNT and CLNTEND backdoors are launched by sideloading a malicious DLL through the Microsoft Word application.
Trend Micro e threat actors have continuously updated their tools and refined their attack chain. They now use anti-analysis techniques in their loaders, including verifying the entry point address from the parent process and hooking common APIs like GetProcAddress to manipulate the execution flow, making detection and analysis more difficult.
The researchers analyzed CXCLNT/CLNTEND artifacts and their associated components, including the launcher and a legitimate executable used for side-loading. The components were downloaded via UltraVNC. The researchers noticed the presence of the same ERP system in the compromised environments of different victims, suggesting that the malware may have been distributed through a supply chain attack.
After executing winsrv.exe, the malware copies the token from Winlogon.exe to escalate privileges and carry out malicious actions. The attackers replace the original Update.exe in a specified directory with one supplied by the threat actors.
The researchers observed UAC Bypass, credential dumping, and the use of commands to disable antivirus software in the post-exploitation phase.
“we investigated TIDRONE, a threat actor linked to Chinese-speaking groups. The attacks were detected in Taiwan and mostly targeted military-related industries, specifically the manufacturer of drones. The activities involve advanced malware variants such as CXCLNT and CLNTEND which were spread through ERP software or remote desktops.” concludes the report. “We examined the technical details of these malicious activities to keep users informed about these types of threats.”
Follow me on Twitter: @securityaffairs and Facebook and Mastodon
(SecurityAffairs – hacking, TIDRONE attack chain)