Security Affairs reports that suspected China-linked threat operation TIDRONE has exploited enterprise resource planning software and remote desktops to compromise Taiwanese drone manufacturers in sophisticated malware attacks.
Attackers leveraged a malicious DLL from the Microsoft Word app to retrieve from open-source remote desktop and remote admin software UltraVNC a launcher that would facilitate injections of the CXCLNT malware and CLTEND remote access tool, according to a report from Trend Micro researchers. Aside from allowing file uploads/downloads and executable file downloads, CXCLNT permitted system information gathering and activity obfuscation, while CLTEND enabled expanded attack capabilities through increased network protocol support. Further analysis of TIDRONE's attacks revealed continuous arsenal updates, with the threat operation using not only UAC bypass, credential dumping, and antivirus software-disabling commands but also additional anti-analysis measures involving the verification of parent process' entry point address, as well as execution flow manipulation via the GetProcAddress API.