Cyber Campaign by TIDRONE Spy Group Against Drone Manufacturers in Taiwan
In a cyber attack campaign starting in 2024, a previously unknown threat actor, likely connected to Chinese-speaking entities, has primarily targeted drone producers in Taiwan.
TIDRONE, as identified by Trend Micro, is surveilling the attacker, noting the espionage nature of the operation due to its focus on military-linked industry networks.
The method used to breach the initial targets remains unidentified currently, although Trend Micro’s investigation reveals the utilization of bespoke malware like CXCLNT and CLNTEND alongside remote desktop utilities such as UltraVNC.
An interesting common aspect among the victims is the usage of the same enterprise resource planning (ERP) software, suggesting the likelihood of a supply chain breach.
The attack methodologies progress through three distinct phases intended to enable privilege escalation via a User Access Control (UAC) bypass, extraction of credentials, and evasion of defense mechanisms by disabling antivirus solutions on the machines.
Both backdoors are activated by loading a malicious DLL through Microsoft Word, allowing the threat actors to collect a variety of sensitive data.
CXCLNT includes basic file upload and download capabilities, along with functions for removing traces, obtaining victim data like file inventories and computer names, and fetching subsequent executable (PE) and DLL files for execution.
CLNTEND, initially spotted in April 2024, is a known Remote Access Tool (RAT) supporting diverse network protocols for communication, including TCP, HTTP, HTTPS, TLS, and SMB (port 445).
Security researchers Pierre Lee and Vickie Su affirmed, “The consistency in file compilation times and the threat actor’s operation time with other Chinese espionage-related activities supports the assessment that this campaign is likely being carried out by an as-yet unidentified Chinese-speaking threat group.”
About Author
