Research Saturday 4.13.22
Ep 228 | 4.13.22

A fight to defend Taiwan financial institutions.


Dave Bittner: Hello everyone, and welcome to the CyberWire's "Research Saturday." I'm Dave Bittner, and this is our weekly conversation with researchers and analysts tracking down threats and vulnerabilities, solving some of the hard problems of protecting ourselves in a rapidly evolving cyberspace. Thanks for joining us.

Alan Neville: This was something that had been initially submitted to us by a customer, and then we were able to discover the submission that had come through was actually something new. 

Dave Bittner: That's Alan Neville. He's a principal threat intelligence analyst at Symantec. The research we're discussing today is titled Antlion: Chinese APT Uses Custom Backdoor to Target Financial Institutions in Taiwan. 

Alan Neville: And as we dug further into it, investigating, we were able to kind of tie lines back to a group that we've already been tracking since at least 2015, which are known internally as Antlion. 

Dave Bittner: Well, before we dig into the details of this particular case, what can you tell us about Antlion? 

Alan Neville: Well, Antlion are a group that, as I mentioned before, we first began tracking way back in 2015, and that was in the wake of Operation Tropic Trooper. And that was a campaign that was predominantly targeting Taiwan and the Philippines at the time. And during that time, we were able to assess that the group had been active since probably at least early 2011. The group since then have continued their attacks. They've evolved some of their tools, some of their tactics to gain footholds into different organizations, move across their networks, and ultimately steal information for the purposes of espionage, all while being able to remain under the radar. 

Alan Neville: I suppose since 2011, Antlion have been observed targeting, like, activists that we've seen and organizations in Taiwan, Hong Kong, India, Vietnam and even up to, like, the Philippines as well, just to name some of them. And that's across industries such as, like, government, health care, media, military that we've seen in the past. And I suppose more recently, we've observed Antlion shift their focus away from some of those sectors and began targeting financial organizations in Taiwan, being able to remain effectively active, undiscovered for almost a year in some cases, sifting through those networks and stealing data. 

Dave Bittner: Well, let's go through this particular case. I mean, in the research that you posted, you have a case study here. Can we walk through that together? 

Alan Neville: So the case study that we actually had was essentially one of the organizations that we had seen - one of the financial organizations that we'd been seeing hit in Taiwan. Essentially during that investigation, we had identified a new loader and a backdoor component, which we have dubbed xPack, which was on some of the compromised systems within that organization. Essentially, when we started analyzing the malware, we've seen that it was written in .NET and is essentially used to read the contents of a BIN file or a file that has a .bin extension and that essentially is used to decrypt and then load malware as a service that's stored in that BIN file. 

Alan Neville: And it seems xPack and its associated payloads were mainly used as part of initial access, predominantly used to execute system commands, drop subsequent malware and tools and stage some data for exfiltration at later stages as well. And this effectively allowed the attackers extensive access to the victim's machines, whereby they were able to perform arbitrary code execution via WMI commands, upload or download files, install whatever additional tools that they needed to assist them in moving across a network and locate systems and files of interest, essentially. Some of the commands that we've kind of documented within the blog are kind of indicators of how they perform this lateral movement and this kind of data exfiltration as well. And we had seen them even deploying other malware tools like keyloggers onto these compromised machines, and they had used other tools that we had come across as well called JpgRun, CheckID - both of which are loaders and appears to be custom ones that are written in C++ - even to the point where they borrowed some of the code from some known Chinese remote access tools known as BlackHole. 

Dave Bittner: Now, one of the things that's remarkable here is - as you point out in the research, is how long they were able to stay in systems. How were they able to go so long and stay undetected? 

Alan Neville: Through the use of custom tools and essentially by being able to encrypt their payloads, which was difficult to detect as well, coupled with the use of some of the living-off-the-land tools - so these are, like, tools that could be used legitimately by system administrators, which again, kind of hide malicious activity that are being performed by the attackers. And they're able to use these tools to essentially move through the network, install some of their additional custom malware, and then be able to even identify systems of interest, sit in them for long periods of time to monitor the activity in those machines, identify files that might be of interest to the group, and then essentially start moving to exfiltrate that data. 

Dave Bittner: And in this particular case, what was the thing that tipped their hand? I mean, what was it that, you know, had this client reach out to all of you? 

Alan Neville: So as part of the normal day-to-day work, we look for and hunt for this type of activity. And what we've actually done in our team is help to build analytics, which can identify suspicious activity based on all the other activity that we've seen across our customer's base. And this essentially generates incidents, which then we can then drill into. And in this case, we had seen a suspicious incident in this customer, along with some submissions from that customer as well. And as we analyze this and built out the investigation, we start realizing very quickly that this was something much bigger than just some cybercrime malware that was being present on these machines. 

Dave Bittner: Can you highlight that? I mean, I think this really points out the utility of active threat hunting, you know, rather than just, you know, having detectors running. This seems like a case where that strategy really paid off. 

Alan Neville: Yeah, for sure. Like, some of the things that we'd always recommend, particularly for any organizations for this type of activity, is enable logging like with PowerShell - obviously, that's used everywhere - restricting RDP access, things like that. But those - by monitoring that type of activity, it can be a really good indicator for activity that's not normal within an organization. And they can highlight some particularly interesting either machines or things that are happening that investigators can dig into for this type of threat-hunting activity. 

Dave Bittner: Do you have any sense for what the initial infection vector might have been? 

Alan Neville: So there is no, I suppose, smoking gun. However, we did observe Antlion abusing an MSSQL service to execute system commands, specifically a search util, which, again, is one of those living-off-the-land tools. The command they actually executed was to download their malware, which indicates that the most likely infection vector was exploitation of some web application or some service. Traditionally, Antlion are known to use malicious emails to install their backdoors to gain that initial access to victims' networks. And I would probably expect they continue to use this method as well as a means to gain access to other organizations. 

Dave Bittner: And what does it seem like Antlion are after here? Is this primarily an espionage operation? 

Alan Neville: Yeah. So it looks like, from all the activity that we were able to track since 2015 right up until recently, it's clear that the group are performing espionage-type activities. We were able to see that the identified systems or files of interest that the attackers focused on were generally to exfiltrate some of these files. So, for example, we observed them deploying legitimate versions of archiving tools to these systems, essentially to collect files. And even in one instance, we saw them archiving entire version control repositories, which I think contain, like, intellectual property, other sensitive information for that organization. They would then password protect these archives and then use combinations of PowerShell and BITS transfer modules to upload data to attacker-controlled infrastructure. 

Alan Neville: Even addition to that, we had also seen the attackers interact with legitimate software via their backdoor, which may suggest they were interested in collecting additional information. Like, examples of some of the software we did see them interact with was used for business contact information, software relating to bidding for contracts, money transfers and investments, software used to read smartcards. And all of this type of software can be used by the attackers to find additional targets of interest, build a picture of the type of work and the contracts the companies are currently undertaking or what they're planning to work on in the future and with whom, the current financial state of organizations, and even possibly provide information on company employees as well. 

Dave Bittner: I'm curious, you know, when you and your team find an organization like this inside of a client's systems and it becomes clear to you that they've been in there for a while, to what degree do you go about kicking them out as quickly as possible? And to what degree do you take advantage of the opportunity to kind of watch what they're doing for a little while? 

Alan Neville: Yeah. So obviously, our mandate is protection first. We want to ensure that all our customers are protected. We ensure that detection is added across our entire technology stack, from file detection, network detection, et cetera. And we want to be able to train some of our analytics to identify some of these tools, tactics and procedures that the group are using, so we can track some of that activity as well in the future. Part of our standard process would always be outreach to the customer. We'd engage with them. We'd inform them that we found this activity. We'd provide assistance for remediation and mitigation. We'd also kind of guide them through, and their security teams, in removing or kicking out that actor. 

Dave Bittner: So what are your recommendations for other organizations to protect themselves against this specific group? 

Alan Neville: I suppose all organizations who believe that they could be a target of Antlion, or even kind of similar groups, should essentially adopt a defense-in-depth strategy using multiple detection, protection, hardening technologies to mitigate risk at all points of the potential attack chain. Things like monitoring dual-use tools inside your network and things - like I said before, enabling logging of PowerShell, restricting RDP access should all be implemented. Proper auditing of control and administrative account usage, implement two-factor authentication should be introduced wherever possible to help limit the usefulness of some of the compromised credentials. I'd also suggest checking out some of the indicators that are published on our blog as well. Review the protection information and work with your security teams to ensure measures have been taken to detect and block all this activity across your organization. 

Dave Bittner: How about determining the origin of this actor? I mean, how do you determine whether or not you think it's a nation-state? 

Alan Neville: So during our investigation, there were a few indicators, such as the targeting that was being performed, the tools that had been used, and even how the attackers operated and supported, which all - sorry - which all supported the theory that the attackers were a nation-state-backed Chinese group. So for example, during the investigation, we were able to find some indications that the operators behind Antlion spoke traditional Chinese. When the attacks became active on some of the compromised machines, they firstly changed the code page to traditional Chinese. Some of the tools, like the archiving tools that they had deployed - which, essentially, they were used to collect and exfiltrate some of the files from targeted organizations - were also simplified Chinese tools as well or versions of those tools. 

Alan Neville: A lot of some of the malware tools are Chinese-language hack tools as well, even down to some of their custom tools, which would be based on other Chinese tools that are all freely available online. And I suppose these type of indicators, coupled with their targeting as well and the ability to infiltrate, remain active on multiple networks at the same time, all suggest that they're, I suppose, well-resourced, organized in some fashion and likely a Chinese nation-state-backed actor. 

Dave Bittner: Our thanks to Alan Neville from Symantec for joining us. The research is titled "Antlion: Chinese APT Uses Custom Backdoor to Target Financial Institutions in Taiwan." We'll have a link in the show notes. 

Dave Bittner: The CyberWire podcast is proudly produced in Maryland at the startup studios of DataTribe, where they're co-building the next generation of cybersecurity teams and technologies. Our amazing CyberWire team is Liz Irvin, Elliott Peltzman, Tre Hester, Brandon Karpf, Eliana White, Puru Prakash, Justin Sabie, Tim Nodar, Joe Carrigan, Carole Theriault, Ben Yelin, Nick Veliky, Gina Johnson, Bennett Moe, Chris Russell, John Petrik, Jennifer Eiben, Rick Howard, Peter Kilpe, and I'm Dave Bittner. Thanks for listening. We'll see you back here next week.