CyberWire Daily - A fight to defend Taiwan financial institutions. [Research Saturday]
Episode Date: April 16, 2022Alan Neville from Symantec/Broadcom joins Dave Bittner on this episode to discuss Antlion, a Chinese state-backed hacker group, are using custom backdoors to target financial institutions in Taiwan. S...ymantec's blog shares the research behind the attacks and how the backdoor allowed the attackers to run WMI commands remotely. Symantec's research showed that "The goal of this campaign appears to have been espionage, as we saw the attackers exfiltrating data and staging data for exfiltration from infected networks." They have since found that this attack has been going on over the course of the past 18 months, in which 250 days were spent on the financial organization and around 175 days were spent on the manufacturing organization. The research can be found here: Antlion: Chinese APT Uses Custom Backdoor to Target Financial Institutions in Taiwan Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the Cyber Wire Network, powered by N2K. of you, I was concerned about my data being sold by data brokers. So I decided to try Delete.me.
I have to say, Delete.me is a game changer. Within days of signing up, they started removing my
personal information from hundreds of data brokers. I finally have peace of mind knowing
my data privacy is protected. Delete.me's team does all the work for you with detailed reports
so you know exactly what's been done. Take control of your data and keep your private life Thank you. Hello everyone and welcome to the CyberWire's Research Saturday.
I'm Dave Bittner and this is our weekly conversation with researchers and analysts
tracking down threats and vulnerabilities,
solving some of the hard problems of protecting ourselves in a rapidly evolving cyberspace. Thanks for joining us.
This was something that had been initially submitted to us by a customer, and then we
were able to discover that submission that had come through was actually something new.
That's Alan Neville.
He's a principal threat intelligence analyst at Symantec.
The research we're discussing today is titled Antlion. Chinese APT uses custom backdoor to target financial institutions in Taiwan. And now, a message from our sponsor, Zscaler, the leader in cloud security.
Enterprises have spent billions of dollars on firewalls and VPNs, yet breaches continue to rise by an 18% year-over-year increase in ransomware attacks and a $75 million record payout in 2024,
these traditional security tools expand your attack surface with public-facing IPs that are
exploited by bad actors more easily than ever with AI tools. It's time to rethink your security.
Zscaler Zero Trust plus AI stops attackers by hiding your attack surface, making apps and IPs invisible,
eliminating lateral movement, connecting users only to specific apps, not the entire network,
continuously verifying every request based on identity and context, simplifying security
management with AI-powered automation, and detecting threats using AI to analyze over And as we dug further into it, investigating, we were able to kind of tie lines back to a group that we've already been tracking since at least 2015, which are known internally as Antlion.
Well, before we dig into the details of this particular case, what can you tell us about Antlion?
Well, Antlion are a group that, as I mentioned before, we first began tracking way back in 2015.
And that was in the wake of Operation Tropic Trooper.
And that was a campaign that was predominantly targeting Taiwan and the Philippines at the time.
And during that time, we were able to assess that the group had been active since probably at least
early 2011. The group since then have continued their attacks, they've evolved some of their tools,
some of their tactics to gain footholds into different organizations, move across their
networks and ultimately steal information for the purposes of espionage all while being able to
remain under the radar. I suppose since 2011 Antline have been
observed targeting like activists that we've seen and organizations in Taiwan, Hong Kong, India,
Vietnam and even up to like the Philippines as well just to name some of them and that's across
industries such as like government, healthcare, media military, that we've seen in the past.
And I suppose more recently, we've observed Antline shift their focus away from some of
those sectors and began targeting financial organizations in Taiwan, being able to remain
effectively active and discovered for almost a year in some cases,
sifting through those networks and stealing data.
Well, let's go through this particular case.
I mean, in the research that you posted, you have a case study here.
Can we walk through that together?
So the case study that we actually had was essentially one of the organizations that
we had seen, one of the financial organizations that we've been seeing here in Taiwan.
Essentially, during that investigation, we identified a new loader and a backdoor component,
which we've dubbed XPAC,
which was on some of the compromised systems
within that organization.
Essentially, when we start analyzing the malware,
we've seen that it was written in.NET
and is essentially used to read the contents of a bin file
or a file that has a.bin extension.
And that essentially is used to decrypt and then load malware
as a service that's stored in that bin file.
And it seems XPAC and its associated payloads were mainly used
as part of initial access, predominantly used to execute system commands,
drop subsequent malware and tools, and stage some data
for exfiltration
at later stages as well.
And this effectively allowed the attackers extensive access to the victims' machines,
whereby they were able to perform arbitrary code execution via WMI commands, upload or
download files, install whatever additional tools that they needed to assist them in moving
across a network and locate systems and
files of interest essentially. Some of the commands that we've kind of documented within the blog
are kind of indicators of how they perform this lateral movement and this kind of data
exfiltration as well and we had seen them even deploying other malware tools like key loggers
onto these compromised machines. They had used other tools that we had come across as well called JPEG
Run, CheckID, both of which are loaders and appears to be
custom ones that are written in C++.
Even to the point where they borrowed some of the code from some known Chinese
remote access tools known as Blackhole.
Now, one of the things that's remarkable here is, as you point out in the research,
is how long they were able to stay in systems.
How were they able to go so long and stay undetected?
Through the use of custom tools and essentially by being able to encrypt their payloads,
which was difficult to detect, as well coupled with the use of some of the living off the land tools.
So these are like tools that could be used legitimately
by system administrators,
which are then again kind of hide malicious activity
that are being performed by the attackers.
And they're able to use these tools
to essentially move through the network,
install some of their additional custom malware,
and then be able to even identify systems of interest,
sit on them for long periods of time to monitor the activity in those machines,
identify files that might be of interest to the group,
and then essentially start moving to exfiltrate that data.
And in this particular case, what was the thing that tipped their hand? I mean,
what was it that had this client reach out to all of you? So as part of the normal day-to-day work,
we look for and hunt for this type of activity. And what we've actually done in our team
is help to build analytics, which can identify suspicious activity based on all the other
activity that
we've seen across our customer base.
And this essentially generates incidents which then we can then drill into.
And in this case, we had seen a suspicious incident in this customer, along with some
submissions from that customer as well.
And as we analyze this and built out the investigation, we start realizing very quickly that this
was something much bigger than just some cyber crime malware that was being present on these machines.
Can you highlight that?
I mean, I think this really points out the utility of active threat hunting, you know, rather than just, you know, having detectors running.
This seems like a case where that strategy really paid off.
Yeah, for sure.
This seems like a case where that strategy really paid off.
Yeah, for sure.
Some of the things that we'd always recommend,
particularly for any organizations,
for this type of activity is enable logging of PowerShell.
Obviously, that's used everywhere, restricting RDP access,
things like that.
But by monitoring that type of activity, it can be a really good indicator for activity
that's not normal within an organization.
And they can highlight some particularly interesting either machines or things that are happening
that investigators can dig into for this type of threat-hunting activity.
Do you have any sense for what the initial infection vector might have been?
So there was no, I suppose, smoking gun, however, we did observe Antline abusing an MS SQL service
to execute system commands, specifically a search util, which again is Windows living
off the LAN tools.
The command they actually executed was to download their malware, which indicates that
the most likely infection vector was exploitation of some web application or some service.
Traditionally, Antline are known to use malicious emails
to install their backdoors to gain that initial access to victims' networks.
And I'd probably expect they'd continue to use this method as well
as a means to gain access to other organizations.
What does it seem like Antlion are after here?
Is this primarily an espionage operation?
Yeah, so it looks like from
all the activity that we were able to track since 2015 right up until recently,
it's clear that the group are performing espionage type activities.
We were able to see that the identified systems
or files of interest that the attackers focused on
were generated to exfiltrate some of
these files. So for example, we observed them deploying legitimate versions of archiving tools
to these systems, essentially to collect files. And even in one instance, we saw them archiving
entire version control repositories, which likely contained like interactional property,
other sensitive information for that organization. They would then password protect these archives and then use combinations of PowerShell and
bit transfer modules to upload the data to attacker-controlled infrastructure.
Even in addition to that, we had also seen the attackers interact with legitimate software
via their backdoor, which may suggest they were interested in collecting additional information.
Like examples of some of the software we did see them interact with was used for business
contact information, software relating to bidding for contracts, money transfers and
investments, software used to read smart cards and all of this type of software can be used
by the attackers to find additional targets of interest, build a picture of the type of work and contracts the companies are currently undertaking
or what they're planning to work on in the future and with whom,
the current financial state of organizations,
and even possibly provide information on company employees as well.
I'm curious, when you and your team find an organization like this inside of a client's systems?
And it becomes clear to you that they've been in there for a while.
To what degree do you go about kicking them out as quickly as possible?
And to what degree do you take advantage of the opportunity to kind of watch what they're doing for a little while?
Yeah, so obviously our mandate is protection first.
We want to ensure that all our customers are protected.
We ensure that detection is added across our entire technology stack from file detection,
network detection, etc.
And we want to be able to train some of our analytics to identify some of these tools,
tactics, and procedures that the group are using
so we can track some of that activity as well in the future.
Part of our standard process would always be outreach to the customer.
We'd engage with them.
We'd inform them that we found this activity.
We'd provide assistance for remediation and mitigation.
And we'd also kind of guide them through on their security teams
in removing or kicking out that actor.
So what are your recommendations for other organizations
to protect themselves against this specific group?
I suppose all organizations who believe that they could be a target of Antline
or even kind of similar groups
should essentially adopt a defense in depth strategy
using multiple detection, protection, hardening
technologies to mitigate risks at all points of the potential attack chain. Things like monitoring
dual use tools inside your network and things like I said before enabling logging of PowerShell,
restricting RDP access should all be implemented. Proper auditing of control and administrative account usage,
implement two-factor authentication
should be introduced wherever possible
to help limit the usefulness of some of the compromised credentials.
I'd also suggest checking out some of the indicators
that are published on our blog as well.
Review the protection information
and work with your security teams
to ensure measures have been taken to detect and block all this activity across your organization.
How about determining the origin of this actor?
I mean, how do you determine whether or not you think it's a nation state?
So during our investigation, there were a few indicators,
such as the targeting that was being performed, the tools that had been used,
and even how the attackers operated and supported,
which all supported the theory that the attackers were a nation-state-backed Chinese group.
So, for example, during the investigation,
we were able to find some indications
that the operators behind Antlion spoke traditional Chinese.
When the attackers became active on some of the compromised machines,
they firstly changed the code page
to traditional Chinese.
Some of the tools, like the archiving
tools that they had deployed,
which essentially they were used to
collect and exfiltrate some of the files
from targeted organizations, were also
simplified Chinese tools as well
or versions of those tools.
A lot of some of the malware tools are Chinese language hack tools as tools. A lot of some of the malware tools
are Chinese language hack tools as well, even down to some of their custom tools which would be based
on other Chinese tools that are all freely available online. And I suppose these type of
indicators coupled with their targeting as well and the ability to infiltrate, remain active on
multiple networks at the same time, all suggest that that they're, I suppose, well-resourced,
organized in some fashion,
and likely a Chinese nation-state-backed actor.
Our thanks to Alan Neville from Symantec for joining us.
The research is titled Antlion.
Chinese APT uses custom backdoor to target financial institutions in Taiwan.
We'll have a link in the show notes.
Cyber threats are evolving every second, and staying ahead is more than just a challenge.
It's a necessity. That's why we're thrilled to partner with ThreatLocker, a cybersecurity solution trusted
by businesses worldwide. ThreatLocker is a full suite of solutions designed to give you total
control, stopping unauthorized applications, securing sensitive data, and ensuring your
organization runs smoothly and securely. Visit ThreatLocker.com
today to see how a default deny approach can keep your company safe and compliant.
The CyberWire podcast is proudly produced in Maryland at the startup studios of DataTribe,
where they're co-building the next generation
of cybersecurity teams and technologies.
Our amazing CyberWire team is Liz Ervin,
Elliot Peltzman, Trey Hester, Brandon Karpf,
Eliana White, Puru Prakash, Justin Sabey,
Tim Nodar, Joe Kerrigan, Carol Terrio,
Ben Yellen, Nick Vilecki, Gina Johnson,
Bennett Moe, Chris Russell, John Petrick,
Jennifer Iben, Rick Howard,
Peter Kilpie, and I'm Dave Bittner. Thanks for listening. We'll see you back here next week.