Taiwan Drone Makers Are Being Attacked by TIDRONE Espionage Group

by
Krishi Chowdhary
from Techreport on (#6QM4B)
cloth-5101758_1280-1200x675.jpg
  • Security researchers at Trend Micro have discovered a previously unknown threat actor, TIDRONE, that's attacking Taiwanese drone makers.
  • The group is believed to be backed by China, but it's yet to be confirmed.
  • The purpose of the attacks is also yet to be confirmed but given that it's attacking military-related drone makers, espionage is a likely motive.

cloth-5101758_1280-300x169.jpg

A previously unknown threat actor called TIDRONE has been attacking drone manufacturers in Taiwan, especially military-related industry chains.

The discovery was made by Trend Micro. It also found that the group was using two malware to target its victims: CXCLNT and CLNTEND. Both of these were deployed through enterprise resource planning (ERP) software and remote desktops.

In fact, in all the attacks that have been recorded so far, it was the same enterprise resource planning (ERP) software that was compromised. This might indicate a chain attack.

More About the Malware

We don't know much about the malware except for the fact that CXCLNT is commonly used for gathering victim information, erasing traces of breaking in and uploading and downloading files.

On the other hand, CLNTEND (which the group only started using in April) is an undetected remote access tool (RAT) that supports a wide range of network protocols for communication, such as HTTP, HTTPS, TCP, TLS, and SMB (port 445), which further strengthens their capabilities.

Upon further investigation, it was also found that the associated components of the malware were downloaded via UltraVNC. Also, both CXCLNT and CLNTEND backdoors are launched by sideloading a malicious DLL through Microsoft Word.

Trend Micro is yet to release the complete breakdown of the attack mechanism, but we do know that it's a 3-stage process consisting of UAC Bypass, credential dumping, and antivirus disabling

Who Is Behind This Group?

No official names have been revealed, but Trend Micro believes that China might have something to do with this.

The consistency in file compilation times and the threat actor's operation time with other Chinese espionage-related activities supports the assessment that this campaign is likely being carried out by an as-yet unidentified Chinese-speaking threat group." - Security researchers Pierre Lee and Vickie Su

The worst part is that these threat actors are constantly updating their tools and attack mechanisms, making it harder to apprehend them. To further evade detection, they're now using anti-analysis techniques in their loaders.

For example, verifying the entry point address from the parent process and hooking up common APIs, such as GetProcAddress, to control or change the execution flow.

The post Taiwan Drone Makers Are Being Attacked by TIDRONE Espionage Group appeared first on The Tech Report.

External Content
Source RSS or Atom Feed
Feed Location https://techreport.com/feed/
Feed Title Techreport
Feed Link https://techreport.com/
Reply 0 comments