The Chinese condition-sponsored threat team known as Antlion has focused at the very least 6 money establishments in Taiwan over the past 18 months, installing a custom made backdoor program on compromised methods and exfiltrating delicate facts from the companies.
The cyber-espionage team managed a extensive-expression existence in victims’ networks, exploring a person producing firm’s network for virtually 6 months and a economical group for additional than 8 months, Symantec, the stability division of Broadcom, mentioned in its evaluation on the marketing campaign. In the previous, Antlion — in some cases regarded as Pirate Panda and Tropic Trooper — has executed espionage on targets in a number of nations situated in close proximity to the South China Sea, this kind of as India, Vietnam, and the Philippines.
More lately, the Antlion team has qualified mainly economic businesses in Taiwan, making use of residing-off-the-land procedures to steal organization contact info, transaction data, and expenditure program, states Alan Neville, an analyst on Symantec’s Threat Hunter Group
“We can only speculate on their correct goal,” he claims. “It really is crystal clear the group are effectively arranged and expert in that we can see the attackers remained active on compromised networks for extended durations of time and have been in a position to conduct these assaults versus monetary organizations in parallel.”
The assaults coincide with increasing tensions amongst China and Taiwan above its political standing. Over the very last year, China has greater armed forces exercise near Taiwan, and the cyberattacks seem to be an extension of that plan.
In the latest examination, Symantec’s threat-searching team connected the cyber-espionage group to intrusions into two various money establishments and a production company. Even so, Neville clarifies that, around the earlier year, the menace looking staff has investigated assaults versus 6 fiscal institutions, a departure from Antlion’s usually broader selection of targets in the authorities, transportation, and media sectors.
Stolen Credentials
Among typical features in Antlion’s arsenal is a custom backdoor known as xPack that authorized the attackers intensive entry to compromised units by issuing Home windows Management Instrumentation (WMI) instructions remotely. The attackers also apparently employed SMB shares to enable documents to be copied from the compromised methods to recently infected machines. The team also executed broad searches for credentials and exfiltrated the sensitive details for later use.
The xPack backdoor is a personalized .Net loader targeted on the original obtain, allowing new options to be downloaded, decrypted, and executed on compromised equipment.
In a December 2020 intrusion of a economical company, the attackers applied WMI instructions to gather info on the compromised procedure and inside of minutes dumped the credentials, in accordance to Symantec’s investigation. Throughout the stop-of-the-month holiday seasons, the attackers moved laterally to other units, continuing to acquire qualifications till early summer season 2021.
“Antlion is believed to have been associated in espionage routines because at the very least 2011, and this new activity reveals that it is even now an actor to be conscious of much more than 10 yrs after it 1st appeared,” Symantec’s Risk Hunting Crew stated in the evaluation. “The size of time that Antlion was capable to shell out on victim networks is noteworthy, with the team capable to invest various months on target networks, affording lots of time to request out and exfiltrate potentially delicate info from contaminated organizations.”
How to Protect Towards Antlion-Style Assaults
For the reason that the use of WMI commands, SMB shares, and other living-off-the-land techniques, providers need to keep an eye on the use of twin-use applications inside of the network, enforcing guidelines these kinds of as keeping PowerShell up to date and allowing for RDP only from particular, recognized IP addresses, Symantec’s Neville claims.
“Many of these equipment are employed by attackers to transfer laterally undetected via a network,” he says. “Broadly speaking, [companies] must undertake a defense-in-depth system, utilizing a number of detection, defense, and hardening systems to mitigate hazard at just about every place of the possible attack chain.”