A state-backed Chinese APT group, named Antlion, was found using a new backdoor that enabled it to stay hidden for a whopping 250 days. Dubbed xPack, the custom malware was used against manufacturing and financial organizations.
Diving into details
The malware was used in a cyberespionage campaign against Taiwanese targets, which lasted for at least 18 months, between 2020 and 2021. xPack allowed the threat actors to remotely run WMI commands, interact with SMB shares to transfer files, and browse the web by using the backdoor as a proxy to hide their IP address. Moreover, evidence suggests that they leveraged EternalBlue exploits. Antlion has mainly targeted financial firms in Taiwan and exfiltrated business contact information, investment software, and transaction data.
Technical ins and outs
- xPack is a .NET loader that fetches and executes payloads encrypted with AES and executes stage data and system commands for exfiltration.
- The custom tools used along with xPack include C++ loaders (EHAGBPSL, JpgRun, and CheckID), an SMB enumeration tool (NetSessionEnum), bind/reverse file transfer tool (ENCODE MMC), and Kerberos golden ticket tool.
- Antlion, in addition to the above, used living-off-the-land and off-the-shelf tools to operate at full capacity without raising security alarms.
- Furthermore, the APT actor abused the CVE-2019-1458 flaw for remote scheduling and privilege escalation to execute the backdoor.
The bottom line
Experts believe that the threat group has been active since at least 2011 and this latest campaign exhibit’s the group’s growing prowess. The length of time it was able to remain hidden is noteworthy. It is, furthermore, possible that the group shared the stolen data with other Chinese threat groups with different areas of operational focus, as it is common for the same state-backed actors to collaborate.
Publisher
/https://cyware-ent.s3.amazonaws.com/image_bank/shutterstock_485997442.jpg)
/https://cyware-ent.s3.amazonaws.com/image_bank/shutterstock_626435660.jpg)
