TIDRONE Targets Military and Satellite Industries in Taiwan
However, upon analyzing this sample, we found that the command and control (C&C) server was no longer active. Tracing the APIs used in malware and the recorded pcap file from the sandbox report, we inferred possible functionalities. By comparing the decrypted packet contents with the command codes hardcoded in the malware, we concluded that this backdoor might possess the following capabilities.
|
Command code |
Description |
|
0x1001 |
Send victim information to C&C server |
|
0x1002 |
Pass but do nothing |
|
0x1003 |
SetEvent |
|
0x1004 |
Receive unknown data, while not being sure of the purpose |
|
0x1005 |
Clear footprints and
|
|
0x1006 |
Persistence via setting reg |
|
0x2001 |
Receive the size of the payload from the C&C server |
|
0x2002 |
Receive a dll file from the C&C server |
|
0x2003 |
Call the export functions of the received dll from 0x2002 |
|
0x2004 |
UNKNOWN |
|
0x2005 |
Check connections alive |
|
0x2007 |
Send listed files in a specific folder to the C&C server |
Table 1. Backdoor command code of CXCLNT
DLL (Backdoor.CLNTEND)
Another final payload is a non-landed dll with the internal name “install.dll”. In the export function, InstallSetup, there are three paths based on the value in configuration:
- SvcLoad → Create a service with the name “CertPropSvce” and inject the next payload, ClientEndPoint.dll, into the current process or svchost process (Depending on configuration).
- TaskLoad → Create a task with the name “CertificatePropagatione” and inject the next payload, ClientEndPoint.dll, into the current process or svchost process (Depending on configuration).
- Other: Directly inject the next payload, ClientEndPoint.dll, into the current process or svchost process (Depending on configuration).
ClientEndPoint.dll is a remote shell tool and observed commands are shown in Figure 3. It supports these protocols for communication with the C&C server:
- TCP
- HTTP
- HTTPS
- TLS
- SMB(port:445)
Based on our experience, threat actors prefer the C&C server domain with a misquoted name, like symantecsecuritycloud[.]com, microsoftsvc[.]com, and windowswns[.]com, whether it is for CLNTEND and CXCLNT. They all implement a similar naming convention to mislead the investigation for network infrastructure.
The consistency in file compilation times and the threat actor’s operation time with other Chinese espionage-related activities supports the assessment that this campaign is likely being carried out by an as-yet unidentified Chinese-speaking threat group. The incidents we observed were highly targeted and limited in scope. The focus on military-related industry chains, particularly in the manufacturers of drones, suggests an espionage motive, given the sensitive data these entities typically hold. This further reinforces the likelihood that TIDRONE is engaged in espionage-related activities.
Due to the same parent process (WinWord.exe) operation from threat actors, the organizations can defend against the attack from TIDRONE by staying vigilant of the following variations:
- WinWord.exe (sha256: 8cfb55087fa8e4c1e7bcc580d767cf2c884c1b8c890ad240c1e7009810af6736). Beware that it has the child process cmd.exe due to the remote shell functionality.
- WinWord.exe (sha256: 8cfb55087fa8e4c1e7bcc580d767cf2c884c1b8c890ad240c1e7009810af6736) with “-s“ in the first argument of the cmd line.
- WinWord.exe (sha256: 8cfb55087fa8e4c1e7bcc580d767cf2c884c1b8c890ad240c1e7009810af6736) with “/SvcLoad“ or “/TaskLoad” in the last argument of the cmd line.
In this article, we investigated TIDRONE, a threat actor linked to Chinese-speaking groups. The attacks were detected in Taiwan and mostly targeted military-related industries, specifically the manufacturer of drones. The activities involve advanced malware variants such as CXCLNT and CLNTEND which were spread through ERP software or remote desktops. We examined the technical details of these malicious activities to keep users informed about these types of threats.
Some of the steps that organizations can take to protect themselves are as follows:
- Download software only from trusted sources
- Stay vigilant of social engineering lures that threat actors could use as entry points for attacks
- Employ antimalware software that could detect early signs of compromise no matter where they are in the system
Trend Micro Vision One offers multilayered protection for diverse environments. With comprehensive prevention, detection, and response capabilities, it safeguards systems from breaches and attacks.
Read More HERE
