In 2024, an unidentified cyber threat cluster known as TIDRONE emerged, demonstrating a particular interest in military-related industries, with a focus on drone manufacturers in Taiwan. Linked to Chinese-speaking groups, this threat actor has been deploying advanced malware to infiltrate organizations involved in sensitive sectors like satellite and defense. Using tools such as CXCLNT and CLNTEND, TIDRONE’s tactics are sophisticated, leveraging enterprise resource planning (ERP) software and remote desktops to execute attacks.
Unveiling TIDRONE’s Interest in Military-Grade Industries
The cyberattack landscape has seen a surge in highly targeted espionage campaigns, and TIDRONE is no exception. Since early 2024, TIDRONE has been involved in several incidents targeting Taiwan’s military and satellite industries. Our research into these incidents indicates that TIDRONE uses a combination of advanced malware, remote access tools (RATs), and command and control (C2) techniques to infiltrate and collect sensitive information.
The primary targets in this campaign are drone manufacturers in Taiwan, which play a critical role in the global defense supply chain. The industries targeted hold highly sensitive data, making them prime targets for espionage operations designed to steal intellectual property and gain military intelligence.
Tools of the Trade: CXCLNT and CLNTEND Malware
One of the key tools in TIDRONE’s arsenal is CXCLNT, a malware that allows attackers to upload and download files, clear traces of their activity, and collect detailed victim information. This malware also has the capability to download additional payloads, often in the form of portable executable (PE) files, for further execution.
Another tool recently identified is CLNTEND, a remote access tool (RAT) first discovered in April 2024. CLNTEND supports a wide range of network protocols, making it versatile and difficult to detect. During the post-exploitation phase, TIDRONE has been observed using several advanced tactics, including:
- User Account Control (UAC) bypass techniques
- Credential dumping
- Hacktool usage to disable antivirus products
These techniques help TIDRONE maintain persistence within a compromised network while avoiding detection by traditional security measures.
Execution Flow and Malware Deployment
TIDRONE’s attacks follow a well-defined execution flow, beginning with the initial compromise of the victim’s environment, often through ERP systems or remote desktop tools like UltraVNC. Once inside the system, the malware is deployed, allowing the attackers to move laterally and escalate privileges.
A typical attack involves replacing legitimate executables with malicious versions. For example, in the case of winsrv.exe, the malware copies the token from Winlogon.exe to escalate privileges, allowing the attackers to perform malicious activities undetected. The legitimate Update.exe is then replaced with a version provided by the threat actors, allowing the malware to execute its payloads without arousing suspicion.
During the post-exploitation phase, TIDRONE often disables antivirus products, clears traces of its activity, and collects credentials for further exploitation.
Advanced Techniques: Loaders and Anti-Analysis
TIDRONE uses multiple loaders to initiate their malware, each version demonstrating increased sophistication. In their first version, TIDRONE’s loaders create a persistent service on the victim’s machine, setting the service name as ASProxys and ensuring the process restarts upon every execution. The loaders decrypt shellcode to execute the payloads, leveraging the RtlDecompressBuffer API to decrypt PE files and execute them.
In the second version of the loader, TIDRONE has integrated advanced anti-analysis techniques, including:
- Entry point verification from the parent process to prevent detection by security tools.
- Hooking widely-used APIs, such as GetProcAddress, to alter execution flow and complicate malware analysis.
- Anti-antivirus measures, including API callback functions that prevent detection by security software.
These loaders bypass common detection methods, making them harder for traditional antivirus programs to catch. The malware does not use standard APIs like CreateThread to start new threads, further complicating analysis.
Backdoor Analysis: CXCLNT and CLNTEND
TIDRONE uses two distinct backdoors, each with its own set of capabilities. The CXCLNT backdoor collects a variety of victim information, including IP addresses, MAC addresses, computer names, and system architecture. By analyzing packet transmission, we identified an intricate encryption scheme used by the malware to protect the stolen data.
CLNTEND, on the other hand, is a flexible backdoor that injects payloads into the svchost process, establishing a remote shell for communication with the C2 server. This backdoor supports multiple communication protocols, including TCP, HTTP, HTTPS, TLS, and SMB. The backdoor utilizes domains that mimic legitimate services, such as symantecsecuritycloud[.]com and microsoftsvc[.]com, making it harder for network defenders to detect malicious traffic.
Attribution to Chinese-Speaking Threat Actors
Based on our investigation, we have strong evidence that TIDRONE is likely operated by a Chinese-speaking espionage group. The campaign’s timing, focus on military industries, and sophisticated malware tools are consistent with previous espionage activities attributed to Chinese state-sponsored actors.
The consistency in file compilation times and operation timelines also aligns with other Chinese espionage-related campaigns. Given the highly targeted nature of the attacks and the sensitive data involved, we believe that TIDRONE’s primary motivation is espionage.
Defending Against TIDRONE
To defend against TIDRONE’s attacks, organizations must stay vigilant, particularly those in the military and satellite industries. Our research identified several indicators of compromise (IOCs) that can help security teams detect and mitigate these threats:
- WinWord.exe with a child process cmd.exe, indicating potential remote shell functionality.
- The presence of malicious command lines with arguments such as “-s” and “/SvcLoad”, commonly used by TIDRONE’s malware to establish persistence.
Conclusion
TIDRONE represents a significant threat to the military and satellite industries in Taiwan, using advanced malware and sophisticated techniques to infiltrate networks and steal sensitive data. The tools CXCLNT and CLNTEND have been central to their operations, allowing them to maintain persistence and evade detection.
Organizations operating in critical industries should prioritize implementing robust cybersecurity defenses to protect against this evolving threat. By staying informed of the latest tactics, techniques, and procedures (TTPs), security teams can better defend against espionage activities like those conducted by TIDRONE.