New Backdoor Deployed by Chinese Hackers Targets Taiwanese Financial Institutions
A Recent Report Reveals Techniques of Deploying xPack in a “Persistent” Malicious Campaign.
A new report has been recently published where researchers state that Chinese threat actors have been targeting Taiwanese financial institutions for a period of 18 months.
APT Group Targets Taiwan’s Organizations
According to the Symantec experts, who released a report on this topic, a Chinese APT group has been targeting Taiwanese financial institutions in a malicious campaign described as “persistent”.
Reportedly, they first started espionage activities, however, the discoveries stated that this resulted in deploying a backdoor dubbed xPack. This way hackers would achieve considerable control over the targeted machines.
The attackers deployed a custom backdoor we have called xPack on compromised systems, which gave them extensive access to victim machines. (…) The backdoor allowed the attackers to run WMI commands remotely, while there is also evidence that they leveraged EternalBlue exploits in the backdoor. The attackers appeared to have the ability to interact with SMB shares, and it’s possible that they used mounted shares over SMB to transfer files from attacker-controlled infrastructure. There is also evidence that the attackers were able to browse the web through the backdoor, likely using it as a proxy to mask their IP address. (…) The goal of this campaign appears to have been espionage, as we saw the attackers exfiltrating data and staging data for exfiltration from infected networks.
More Details on the xPack Backdoor Targeting Taiwan
The experts shared some technical details on how the deployment of the xPack backdoor unfolded.
There is no clear information on the initial attack vector employed in this campaign, however, the experts believe that Antlion, the APT group under discussion, achieved a foothold by means of a web application vulnerability and deployed xPack. This backdoor has the role to perform a variety of malicious actions on the targeted system as executing system commands, dropping consecutive malware, or using staging for data exfiltration purposes.
What’s more, is that the hackers also leveraged C++-based custom loaders along with a mix of legitimate mass-produced tools like AnyDesk. To achieve remote access, they also used LotL (living—off the land) methods along with performing arbitrary command execution as well as credential dumping.
The main custom backdoor used by Antlion in this campaign was the xPack backdoor, which is a custom .NET loader that decrypts (AES), loads, and executes accompanying .bin files. Its decryption password is provided as a command-line argument (Base64 encoded string), and xPack is intended to be run as a standalone application or as a service (xPackSvc variant).
Hackers Lay in Wait on the Victims’ Network for Long
One particularity about this malicious campaign is the time threat actors spent hidden on the network of the victims as these methods let them perform reconnaissance and data exfiltration activities without being detected.
For instance, in one of the unspecified financial organizations they targeted, the hackers remained for about 250 days on the network between December 2020 and August 2021, while in the second case, they supervised the network of a manufacturing organization for about 175 days.
How Can Heimdal™ Help?
Constant and efficient patching is the essential process that levels up your vulnerability management strategy and lets your essential business assets be well-safeguarded. Use our Patch & Asset Management, an automated tool that helps you keep your software updated at all times in a professional way.