Virtual Event Now Live: Zero Trust Strategies Summit! - Login for Access
Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Nation-State

China-Linked Hackers Target Drone Makers

A Chinese-speaking threat actor tracked as Tidrone has been targeting military and satellite industries in Taiwan.

A threat actor linked to China has been targeting military-related and satellite industries in Taiwan, Trend Micro reports.

Tracked as Tidrone, the threat actor has been observed mainly targeting drone manufacturers. The group has relied on enterprise resource planning (ERP) software and remote desktop access to deploy sophisticated malware to disable system protections and steal information.

As part of the attacks, the threat actor used two backdoors, dubbed Cxclnt/Clntend, both deployed using UltraVNC, a legitimate tool for remote control.

“During our investigation, we discovered the same ERP system was present in the environments of different victims, suggesting that the malware might be distributed through a supply chain attack,” Trend Micro notes.

After compromising the victims’ systems, the threat actor was observed performing lateral movement, deploying malicious tools, harvesting credentials, bypassing User Account Control (UAC), and disabling antivirus solutions.

Tidrone, Trend Micro explains, uses loaders to deploy its backdoors in memory, and has been observed updating the deployment technique between the two, by merging two payloads into one and modifying the injection chain to include the svchost process.

Analysis of the Cxclnt backdoor shows it can collect system and user information and send it to the command-and-control (C&C) server, receive payloads, delete its traces, and set persistence.

Depending on the configuration used during installation, Clntend, essentially a remote shell, is injected in the current process or in the svchost process, either directly or after creating a new service or a task.

Advertisement. Scroll to continue reading.

“Based on our experience, threat actors prefer the C&C server domain with a misquoted name, like symantecsecuritycloud[.]com, microsoftsvc[.]com, and windowswns[.]com, whether it is for Clntend and Cxclnt. They all implement a similar naming convention to mislead the investigation for network infrastructure,” Trend Micro says.

Similarities with Chinese espionage-related activities suggest that Tidrone is a yet unidentified Chinese-speaking threat group engaging in targeted attacks, the cybersecurity firm explains.

“The focus on military-related industry chains, particularly in the manufacturers of drones, suggests an espionage motive, given the sensitive data these entities typically hold. This further reinforces the likelihood that Tidrone is engaged in espionage-related activities,” Trend Micro notes.

Related: US Lawmakers Want Investigation Into TP-Link Over Chinese Hacking Fears

Related: Chinese Hackers Deliver Malware via ISP-Level DNS Poisoning

Related: Chinese Cyberspy Group ‘Aoqin Dragon’ Targeting Southeast Asia, Australia Since 2013

Related: DHS Details Risks of Using Chinese Data Services, Equipment

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join SecurityWeek and Hitachi Vantara for this this webinar to gain valuable insights and actionable steps to enhance your organization's data security and resilience.

Register

Event: ICS Cybersecurity Conference

The leading industrial cybersecurity conference for Operations, Control Systems and IT/OT Security professionals to connect on SCADA, DCS PLC and field controller cybersecurity.

Register

People on the Move

Threat intelligence firm Intel 471 has appointed Mark Huebeler as its COO and CFO.

Omkhar Arasaratnam, former GM at OpenSSF, is LinkedIn's first Distinguised Security Engineer

Defense contractor Nightwing has appointed Tricia Fitzmaurice as Chief Growth Officer.

More People On The Move

Expert Insights

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest cybersecurity news, threats, and expert insights. Unsubscribe at any time.