February 08, 2022

Antlion APT Group

Industry: Financial & Manufacturing | Level: Tactical | Source: Symantec

Symantec reports of threat activity from Antlion, a Chinese state-backed APT group. For the past 18 months, the threat group has been actively targeting Taiwanese financial institutions. The group’s operations involve long dwell times. Recent attacks observed of a financial organization, having been approximately 250 days on the network, and another attack of a manufacturing organization with an observed 175 days. A custom backdoor, xPack is leveraged by the group. Threat activity observed in a case study, identified the group running various commands (example with WMI), exploiting EternalBlue, gathering credentials from the registry, running PsExec and archiving collected data. There are undefined gaps in threat activity, continuing to emphasize the group’s slow methodical pace.

  • Anvilogic Use Cases:
    • WinRM Tools
    • Credentials in Registry
    • Remote Admin Tools
    • Locate Credentials