{"id":168210,"date":"2024-09-09T10:10:24","date_gmt":"2024-09-09T10:10:24","guid":{"rendered":"https:\/\/securityaffairs.com\/?p=168210"},"modified":"2024-09-09T10:10:27","modified_gmt":"2024-09-09T10:10:27","slug":"tidrone-targets-organizations-taiwan","status":"publish","type":"post","link":"https:\/\/securityaffairs.com\/168210\/apt\/tidrone-targets-organizations-taiwan.html","title":{"rendered":"TIDRONE APT targets drone manufacturers in Taiwan"},"content":{"rendered":"
<\/div>\n
A previously undocumented threat actor tracked TIDRONE targets organizations in military and satellite industries in Taiwan.<\/h2>\n\n\n\n
Trend Micro spotted an allegedly China-linked threat actor, tracked TIDRONE, targeting drone manufacturers in Taiwan. The group, which was previously undocumented, uses enterprise resource planning (ERP) software and remote desktops to deploy advanced malware, including CXCLNT<\/em> and CLNTEND<\/em>. CXCLNT<\/em> allows for file upload\/download, erasing traces, gathering victim information, and downloading executable files. Since April, the group used CLNTEND<\/em>, a previously undetected remote access tool (RAT), which supports a wider range of network protocols for communication, further enhancing their capabilities.<\/p>\n\n\n\n
Both CXCLNT and CLNTEND backdoors are launched by sideloading a malicious DLL through the Microsoft Word application.<\/gwmw><\/p>\n\n\n\n
Trend Micro e threat actors have continuously updated their tools and refined their attack chain. They now use anti-analysis techniques in their loaders, including verifying the entry point address from the parent process and hooking common APIs like GetProcAddress<\/em> to manipulate the execution flow, making detection and analysis more difficult.<\/gwmw><\/p>\n\n\n\n
The researchers analyzed CXCLNT\/CLNTEND artifacts and their associated components, including the launcher and a legitimate executable used for side-loading. The components were downloaded via UltraVNC. The researchers noticed the presence of the same ERP system in the compromised environments of different victims, suggesting that the malware may have been distributed through a supply chain attack.<\/p>\n\n\n\n
After executing winsrv.exe<\/em>, the malware copies the token from Winlogon.exe<\/em> to escalate privileges and carry out malicious actions. The attackers replace the original Update.exe<\/em> in a specified directory with one supplied by the threat actors. <\/p>\n\n\n\n
The researchers observed UAC Bypass, credential dumping, and the use of commands to disable antivirus software in the post-exploitation phase.<\/gwmw><\/p>\n\n\n\n