Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Cyberwarfare

Chinese Hackers Target Financial Institutions in Taiwan With Custom Backdoor

Between 2020 and 2021, a China-linked advanced persistent threat (APT) actor ran an espionage campaign targeting financial institutions in Taiwan, Symantec reports.

Tracked as Antlion, the hacking group is believed to have been active since at least 2011, and is likely backed by the Chinese government.

Between 2020 and 2021, a China-linked advanced persistent threat (APT) actor ran an espionage campaign targeting financial institutions in Taiwan, Symantec reports.

Tracked as Antlion, the hacking group is believed to have been active since at least 2011, and is likely backed by the Chinese government.

As part of a persistent 18-month campaign targeting entities in Taiwan, the threat actor was observed employing a new custom backdoor that Symantec named xPack and which provided the attackers with extensive access to victim systems.

In addition to supporting the remote execution of WMI commands, the backdoor also included EternalBlue exploits, and allowed the attackers to interact with SMB shares and to browse the web, acting like a proxy to help the attackers hide their IP address.

“The goal of this campaign appears to have been espionage, as we saw the attackers exfiltrating data and staging data for exfiltration from infected networks,” Symantec notes.

[READ: Chinese Spies Exploit Log4Shell to Hack Major Academic Institution]

Antlion compromised the networks of at least three organizations in Taiwan, including two financial entities and a manufacturing company. The hackers performed similar activity on each network, seeking to harvest credentials and using xPack for access.

Symantec found evidence that the attackers spent up to 250 days in one of the compromised networks and roughly 175 days in another, and discovered that they used a variety of off-the-shelf tools, including LSASS, PowerShell, ProcDump, PsExec, and WMIC.

Advertisement. Scroll to continue reading.

Furthermore, the APT abused the legitimate AnyDesk tool for remote access to one of the compromised networks, and was seen employing various exploits for privilege elevation. Legitimate versions of WinRAR were likely used for data exfiltration.

“The length of time that Antlion was able to spend on victim networks is notable, with the group able to spend several months on victim networks, affording plenty of time to seek out and exfiltrate potentially sensitive information from infected organizations. The targeting of Taiwan is perhaps unsurprising given we know Chinese state-backed groups tend to be interested in organizations in that region,” Symantec notes.

Related: Security Scanners Across Europe Tied to China Govt, Military

Related: Researchers Analyze Chinese Malware Used Against Russian Government

Related: Chinese, Iranian State Hackers Exploiting Log4j Flaw: Mandiant

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join SecurityWeek and Hitachi Vantara for this this webinar to gain valuable insights and actionable steps to enhance your organization's data security and resilience.

Register

Event: ICS Cybersecurity Conference

The leading industrial cybersecurity conference for Operations, Control Systems and IT/OT Security professionals to connect on SCADA, DCS PLC and field controller cybersecurity.

Register

People on the Move

Threat intelligence firm Intel 471 has appointed Mark Huebeler as its COO and CFO.

Omkhar Arasaratnam, former GM at OpenSSF, is LinkedIn's first Distinguised Security Engineer

Defense contractor Nightwing has appointed Tricia Fitzmaurice as Chief Growth Officer.

More People On The Move

Expert Insights

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest cybersecurity news, threats, and expert insights. Unsubscribe at any time.