Lately we have learned about, yet another campaign run by the APT group Antlion. Presumed to be active since 2011, Antlion is believed to be a government backed group engaged in multiple firms in Taiwan in what is presumed to be an espionage campaign. Judging from the concentration placed on Taiwanese firms and the use of multiple tools, malware, CVE’s and inhouse tools we assess that this cannot be the job of just one or two individuals, but rather, is the work of well-built, well-trained groups from China.
Over the course of an attack campaign conducted, Antlion infiltrated financial targets in Taiwan whilst using a custom backdoor called xPack and a few others. The group relied heavily on c++ and Eternal Blue exploits following their initial access which was likely gained whilst using methods such as web application or service exploitation, or through sending malicious emails.
- EHAGBPSL loader – custom loader written in C++ – loaded by JpgRun loader
- JpgRun loader – customer loader written in C++ – similar to xPack, reads the decryption key and filename from the command line – decodes the file and executes it
- CheckID – custom loader written in C++ – based on loader used by BlackHole RAT
- NetSessionEnum – Custom SMB session enumeration tool
- ENCODE MMC – Custom bind/reverse file transfer tool
- Kerberos golden ticket tool based on the Mimikatz credentials stealer
After the initial access, the attackers used custom-built malware and regular malware to execute commands while also installing keyloggers and running Mimikatz, harvesting credentials while using legitimate company technologies such as WMI commands and SMB shares. This wide set of preliminary actions allowed them to gain a firm grip on the network and granted them permission to enter and exit as they pleased. Through this, the attackers were then able to exfiltrate the data whenever they chose whilst simultaneously conducting reconnaissance and prepping for their next exfiltration packages.
The dominant factor to take away from this event, is that the hackers (Antlion) were acting quietly and patiently. After infiltrating the network, they were able to act inside for over a year, returning from time to time to exfiltrate data and credentials as needed. Our assessment is that an actor like this did not only plan on not getting caught, but that they were planning a prolonged stay within the firm. An attack like this has the potential to escalate to Computer Network Attack (CNA) activity within the organizations waiting for command. Therefore, our suggestion for you to minimize both your susceptibility and the threat from such malicious conduct by cyber actors, is to monitor and limit the use of system tools such as PowerShell and RDP to specific users and only from specific IP addresses. This attack not only highlights the importance of a well-tuned EDR and an up-to-date defense system but also shows the importance of conducting timely threat hunting operations.