A previously undocumented threat actor with likely ties to Chinese-speaking groups has predominantly singled out drone manufacturers in Taiwan as part of a cyber attack campaign that commenced in 2024.
Trend Micro is tracking the adversary under the moniker TIDRONE, stating the activity is espionage-driven given the focus on military-related industry chains.
The exact initial access vector used to breach targets is presently unknown, with Trend Micro's analysis uncovering the deployment of custom malware such as CXCLNT and CLNTEND using remote desktop tools like UltraVNC.
An interesting commonality observed across different victims is the presence of the same enterprise resource planning (ERP) software, raising the possibility of a supply chain attack.
The attack chains subsequently go through three different stages that are designed to facilitate privilege escalation by means of a User Account Control (UAC) bypass, credential dumping, and defense evasion by disabling antivirus products installed on the hosts.
Both the backdoors are initiated by sideloading a rogue DLL via the Microsoft Word application, allowing the threat actors to harvest a wide range of sensitive information,
CXCLNT comes equipped with basic upload and download file capabilities, as well as features for clearing traces, collecting victim information such as file listings and computer names, and downloading next-stage portable executable (PE) and DLL files for execution.
CLNTEND, first detected in April 2024, is a discovered remote access tool (RAT) that supports a wider range of network protocols for communication, including TCP, HTTP, HTTPS, TLS, and SMB (port 445).
"The consistency in file compilation times and the threat actor's operation time with other Chinese espionage-related activities supports the assessment that this campaign is likely being carried out by an as-yet unidentified Chinese-speaking threat group," security researchers Pierre Lee and Vickie Su said.
Update
Cybersecurity firm Acronis has published its own findings into the campaign, which it has dubbed Operation WordDrone, stating it observed the attacks between April and July 2024.
The intrusions are also characterized by the use of a technique called Blindside to evade detection by endpoint detection and response (EDR) software prior to deploying CLNTEND (aka ClientEndPoint).
Acronis further revealed that the malicious artifacts were detected inside the folder of a Taiwanese ERP software called Digiwin, alluding to the possibility of either a supply chain attack or the exploitation of a security flaw in the product to gain initial access.
"There are about a dozen companies in Taiwan participating in drone manufacturing — often for OEM purposes — and even more if we look at their global aerospace industry," the Singapore-based company said.
"The country has always been a U.S. ally, and that, coupled with Taiwan's strong technological background, makes them a prime target for adversaries interested in military espionage or supply chain attacks."
