Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Cyberwarfare

Chinese Hackers Target Financial Institutions in Taiwan With Custom Backdoor

Between 2020 and 2021, a China-linked advanced persistent threat (APT) actor ran an espionage campaign targeting financial institutions in Taiwan, Symantec reports.

Tracked as Antlion, the hacking group is believed to have been active since at least 2011, and is likely backed by the Chinese government.

Between 2020 and 2021, a China-linked advanced persistent threat (APT) actor ran an espionage campaign targeting financial institutions in Taiwan, Symantec reports.

Tracked as Antlion, the hacking group is believed to have been active since at least 2011, and is likely backed by the Chinese government.

As part of a persistent 18-month campaign targeting entities in Taiwan, the threat actor was observed employing a new custom backdoor that Symantec named xPack and which provided the attackers with extensive access to victim systems.

In addition to supporting the remote execution of WMI commands, the backdoor also included EternalBlue exploits, and allowed the attackers to interact with SMB shares and to browse the web, acting like a proxy to help the attackers hide their IP address.

“The goal of this campaign appears to have been espionage, as we saw the attackers exfiltrating data and staging data for exfiltration from infected networks,” Symantec notes.

[READ: Chinese Spies Exploit Log4Shell to Hack Major Academic Institution]

Antlion compromised the networks of at least three organizations in Taiwan, including two financial entities and a manufacturing company. The hackers performed similar activity on each network, seeking to harvest credentials and using xPack for access.

Symantec found evidence that the attackers spent up to 250 days in one of the compromised networks and roughly 175 days in another, and discovered that they used a variety of off-the-shelf tools, including LSASS, PowerShell, ProcDump, PsExec, and WMIC.

Advertisement. Scroll to continue reading.

Furthermore, the APT abused the legitimate AnyDesk tool for remote access to one of the compromised networks, and was seen employing various exploits for privilege elevation. Legitimate versions of WinRAR were likely used for data exfiltration.

“The length of time that Antlion was able to spend on victim networks is notable, with the group able to spend several months on victim networks, affording plenty of time to seek out and exfiltrate potentially sensitive information from infected organizations. The targeting of Taiwan is perhaps unsurprising given we know Chinese state-backed groups tend to be interested in organizations in that region,” Symantec notes.

Related: Security Scanners Across Europe Tied to China Govt, Military

Related: Researchers Analyze Chinese Malware Used Against Russian Government

Related: Chinese, Iranian State Hackers Exploiting Log4j Flaw: Mandiant

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join the session as we discuss the challenges and best practices for cybersecurity leaders managing cloud identities.

Register

SecurityWeek’s Ransomware Resilience and Recovery Summit helps businesses to plan, prepare, and recover from a ransomware incident.

Register

Expert Insights

Related Content

Cybercrime

The changing nature of what we still generally call ransomware will continue through 2023, driven by three primary conditions.

Cybercrime

A recently disclosed vBulletin vulnerability, which had a zero-day status for roughly two days last week, was exploited in a hacker attack targeting the...

Cyberwarfare

WASHINGTON - Cyberattacks are the most serious threat facing the United States, even more so than terrorism, according to American defense experts. Almost half...

Cyberwarfare

Russian espionage group Nomadic Octopus infiltrated a Tajikistani telecoms provider to spy on 18 entities, including government officials and public service infrastructures.

Cybercrime

Patch Tuesday: Microsoft calls attention to a series of zero-day remote code execution attacks hitting its Office productivity suite.

Malware & Threats

The NSA and FBI warn that a Chinese state-sponsored APT called BlackTech is hacking into network edge devices and using firmware implants to silently...

Cyberwarfare

Several hacker groups have joined in on the Israel-Hamas war that started over the weekend after the militant group launched a major attack.

Application Security

Virtualization technology giant VMware on Tuesday shipped urgent updates to fix a trio of security problems in multiple software products, including a virtual machine...