Between 2020 and 2021, a China-linked advanced persistent threat (APT) actor ran an espionage campaign targeting financial institutions in Taiwan, Symantec reports.
Tracked as Antlion, the hacking group is believed to have been active since at least 2011, and is likely backed by the Chinese government.
As part of a persistent 18-month campaign targeting entities in Taiwan, the threat actor was observed employing a new custom backdoor that Symantec named xPack and which provided the attackers with extensive access to victim systems.
In addition to supporting the remote execution of WMI commands, the backdoor also included EternalBlue exploits, and allowed the attackers to interact with SMB shares and to browse the web, acting like a proxy to help the attackers hide their IP address.
“The goal of this campaign appears to have been espionage, as we saw the attackers exfiltrating data and staging data for exfiltration from infected networks,” Symantec notes.
Antlion compromised the networks of at least three organizations in Taiwan, including two financial entities and a manufacturing company. The hackers performed similar activity on each network, seeking to harvest credentials and using xPack for access.
Symantec found evidence that the attackers spent up to 250 days in one of the compromised networks and roughly 175 days in another, and discovered that they used a variety of off-the-shelf tools, including LSASS, PowerShell, ProcDump, PsExec, and WMIC.
Furthermore, the APT abused the legitimate AnyDesk tool for remote access to one of the compromised networks, and was seen employing various exploits for privilege elevation. Legitimate versions of WinRAR were likely used for data exfiltration.
“The length of time that Antlion was able to spend on victim networks is notable, with the group able to spend several months on victim networks, affording plenty of time to seek out and exfiltrate potentially sensitive information from infected organizations. The targeting of Taiwan is perhaps unsurprising given we know Chinese state-backed groups tend to be interested in organizations in that region,” Symantec notes.