Upon examining this specimen, we discovered that the command and control (C&C) server was inactive. By analyzing the APIs utilized in the malware and the recorded pcap file from the sandbox report, we deduced potential functionalities. Our conclusion on the backdoor’s capabilities was drawn from comparing the decrypted packet contents with the hardcoded command codes within the malware.
|
Command code |
Description |
|
0x1001 |
Transmit victim information to C&C server |
|
0x1002 |
Execute an action without impact |
|
0x1003 |
Initiate SetEvent operation |
|
0x1004 |
Receive unidentified data with uncertain purpose |
|
0x1005 |
Erase traces and
|
|
0x1006 |
Establish persistence by setting reg |
|
0x2001 |
Receive payload size from the C&C server |
|
0x2002 |
Acquire a dll file from the C&C server |
|
0x2003 |
Invoke export functions of the received dll from 0x2002 |
|
0x2004 |
UNDEFINED |
|
0x2005 |
Verify active connections |
|
0x2007 |
Dispatch enumerated files in a designated directory to the C&C server |
Table 1. List of Commands for CXCLNT Backdoor
DLL (Backdoor.CLNTEND)
The final payload comprises an airborne dll named “install.dll”. Within the InstallSetup export function, three courses of action are pursued based on the configuration value:
- SvcLoad → Establish a service named “CertPropSvce” and introduce the subsequent payload, ClientEndPoint.dll, into the current process or svchost process (Dependent on configuration).
- TaskLoad → Create a task named “CertificatePropagatione” and inject the next payload, ClientEndPoint.dll, into the current process or svchost process (Dependent on configuration).
- Other: Directly infuse the next payload, ClientEndPoint.dll, into the current process or svchost process (Dependent on configuration).
ClientEndPoint.dll serves as a remote terminal tool with communication supported for the C&C server across different protocols:
- TCP
- HTTP
- HTTPS
- TLS
- SMB(port:445)
As per our observations, threat actors tend to use a deceiving domain name for the C&C server, such as symantecsecuritycloud[.]com, microsoftsvc[.]com, and windowswns[.]com, whether it pertains to CLNTEND or CXCLNT. These domains adopt a similar naming strategy to mislead investigations related to network infrastructure.
The congruence in file compilation timestamps and the operational timeline of threat actors aligning with other espionage activities associated with China indicates that this campaign is likely conducted by an unidentified Chinese-speaking threat collective. The observed incidents were highly precise and narrowly focused. The emphasis on military-related sectors, especially drone manufacturers, implies an espionage motive due to the sensitive data typically stored by these entities. This reinforces the speculation that TIDRONE is participating in espionage endeavors.
Considering the common parent process (WinWord.exe) utilization by threat actors, organizations can defend against TIDRONE assaults by maintaining attentiveness towards the following variations:
- WinWord.exe (sha256: 8cfb55087fa8e4c1e7bcc580d767cf2c884c1b8c890ad240c1e7009810af6736). Note the presence of the child process cmd.exe due to remote shell functionality.
- WinWord.exe (sha256: 8cfb55087fa8e4c1e7bcc580d767cf2c884c1b8c890ad240c1e7009810af6736) including “-s“ as the first argument in the cmd line.
- WinWord.exe (sha256: 8cfb55087fa8e4c1e7bcc580d767cf2c884c1b8c890ad240c1e7009810af6736) with either “/SvcLoad“ or “/TaskLoad” in the final argument of the cmd line.
This study delved into TIDRONE, a threat actor affiliated with Chinese-speaking entities. Incidents were detected in Taiwan with a primary focus on military-related sectors, specifically drone manufacturing. These actions involve sophisticated malware iterations like CXCLNT and CLNTEND dispersed through ERP software or remote workspaces. By examining the technical specifics of these malicious activities, users can be better informed regarding such threats.
Organizations can adopt various measures to shield themselves against threats, including:
- Source software solely from reputable sources
- Remain cautious of social engineering deceptions serving as entry points for attacks
- Deploy antimalware solutions to identify early indicators of compromise anywhere within the system
Trend Micro Vision One provides multi-tiered protection across diverse environments. With comprehensive prevention, detection, and response features, it fortifies systems against breaches and intrusions.
About Author
