The Chinese state-sponsored threat group known as Antlion has targeted at least six financial institutions in Taiwan over the past 18 months, installing a custom backdoor program on compromised systems and exfiltrating sensitive data from the companies.
The cyber-espionage group maintained a long-term presence in victims’ networks, exploring one manufacturing firm’s network for nearly six months and a financial organization for more than eight months, Symantec, the security division of Broadcom, stated in its analysis on the campaign. In the past, Antlion — sometimes known as Pirate Panda and Tropic Trooper — has conducted espionage on targets in a number of countries located near the South China Sea, such as India, Vietnam, and the Philippines.
More recently, the Antlion group has targeted mainly financial organizations in Taiwan, using living-off-the-land techniques to steal business contact information, transaction data, and investment software, says Alan Neville, an analyst on Symantec’s Threat Hunter Team
“We can only speculate on their true goal,” he says. “It’s clear the group are well organized and professional in that we can see the attackers remained active on compromised networks for long periods of time and were able to conduct these attacks against financial organizations in parallel.”
The attacks coincide with increasing tensions between China and Taiwan over its political status. Over the last year, China has increased military activity near Taiwan, and the cyberattacks appear to be an extension of that policy.
In the latest analysis, Symantec’s threat-hunting team linked the cyber-espionage group to intrusions into two different financial institutions and a manufacturing company. However, Neville clarifies that, over the past year, the threat hunting team has investigated attacks against six financial institutions, a departure from Antlion’s typically broader range of targets in the government, transportation, and media sectors.
Among common elements in Antlion’s arsenal is a custom backdoor called xPack that allowed the attackers extensive access to compromised systems by issuing Windows Management Instrumentation (WMI) commands remotely. The attackers also apparently used SMB shares to allow files to be copied from the compromised systems to newly infected machines. The group also conducted broad searches for credentials and exfiltrated the sensitive information for later use.
The xPack backdoor is a custom .NET loader focused on the initial access, allowing new features to be downloaded, decrypted, and executed on compromised machines.
In a December 2020 intrusion of a financial company, the attackers used WMI commands to gather information on the compromised system and within minutes dumped the credentials, according to Symantec’s analysis. During the end-of-the-month holidays, the attackers moved laterally to other systems, continuing to collect credentials until early summer 2021.
“Antlion is believed to have been involved in espionage activities since at least 2011, and this recent activity shows that it is still an actor to be aware of more than 10 years after it first appeared,” Symantec’s Threat Hunting Team stated in the analysis. “The length of time that Antlion was able to spend on victim networks is notable, with the group able to spend several months on victim networks, affording plenty of time to seek out and exfiltrate potentially sensitive information from infected organizations.”
How to Defend Against Antlion-Type Attacks
Because the use of WMI commands, SMB shares, and other living-off-the-land techniques, companies should monitor the use of dual-use programs inside the network, enforcing policies such as keeping PowerShell up to date and allowing RDP only from specific, known IP addresses, Symantec’s Neville says.
“Many of these tools are used by attackers to move laterally undetected through a network,” he says. “Broadly speaking, [companies] should adopt a defense-in-depth strategy, using multiple detection, protection, and hardening technologies to mitigate risk at each point of the potential attack chain.”