Chinese-Speaking Hackers Linked to Cyberattacks on Drone Technology

A cyber-espionage operation led by a threat actor known as TIDRONE has been unveiled by Trend Micro. Researchers report that the threat actor's presence has steadily increased, which is evident from Trend Micro's incident response engagements since early 2024. According to Trend Micro, TIDRONE's operations primarily target Taiwan's military-related industry chains, most notably drone manufacturers, with additional attacks impacting sectors such as financial services and satellites across Taiwan, Canada, and Korea. In terms of attribution, TIDRONE is linked to Chinese-speaking groups, with an alignment in operation times and tactics with other Chinese espionage activities, suggesting a likely Chinese origin for these attacks. The ultimate aim of TIDRONE appears to be deeply rooted in espionage.

"The threat cluster uses enterprise resource planning (ERP) software or remote desktops to deploy advanced malware toolsets such as CXCLNT and CLNTEND," reports Trend Micro. The deployment of CXCLNT and CLNTEND malware by TIDRONE occurs after initial access has been established, indicating an earlier infiltration of networks that has now progressed to the lateral movement phase. This malware is suspected to have been distributed through a supply-chain attack, as a review of the intrusions found the compromised ERP software to be a common variable among victims. Researchers observed the execution of malware through a compromised UltraVNC, a remote utility which then triggers 'winsrv.exe' to launch 'Update.exe' and subsequently side-load a malicious DLL.

Post-exploitation findings by Trend Micro reveal the extent of TIDRONE's capabilities to manipulate systems and extract sensitive information. Techniques include bypassing User Account Control (UAC) by altering the Windows registry, specifically modifying the 'DelegateExecute' value with 'reg.exe' to facilitate unauthorized commands, and adding a default command under: HKCU\Software\Classes\ms-settings\Shell\Open\command. Credential harvesting is achieved using tools like 'procdump.exe' to dump LSASS memory and 'cmdkey.exe' for managing credentials, often in conjunction with tools like Mimikatz. Additionally, CXCLNT and CLNTEND exhibit anti-analysis properties, complicating efforts to detect and analyze their behavior.

The loaders employed by TIDRONE are designed for persistence, initiating as services on infected machines. Researchers have identified the malware's anti-analysis techniques, which include manipulation of entry point checking and strategic hooking of the GetProcAddress function to divert and complicate forensic efforts. Additionally, the deployment of the CLNTEND DLL—a versatile backdoor tool—allows for persistent access and control over compromised systems. This DLL is configured to operate under various scenarios, adjusting its loading mechanism based on the system's configuration to evade detection and enhance the malware's effectiveness in espionage activities.