Malware, Threat Intelligence

Taiwanese drone makers subjected to TIDRONE APT intrusions

Share
An Android app for a Chinese drone may be spying.
CREDIT: Goh Rhy Yan

Security Affairs reports that suspected China-linked threat operation TIDRONE has exploited enterprise resource planning software and remote desktops to compromise Taiwanese drone manufacturers in sophisticated malware attacks.

Attackers leveraged a malicious DLL from the Microsoft Word app to retrieve from open-source remote desktop and remote admin software UltraVNC a launcher that would facilitate injections of the CXCLNT malware and CLTEND remote access tool, according to a report from Trend Micro researchers. Aside from allowing file uploads/downloads and executable file downloads, CXCLNT permitted system information gathering and activity obfuscation, while CLTEND enabled expanded attack capabilities through increased network protocol support. Further analysis of TIDRONE's attacks revealed continuous arsenal updates, with the threat operation using not only UAC bypass, credential dumping, and antivirus software-disabling commands but also additional anti-analysis measures involving the verification of parent process' entry point address, as well as execution flow manipulation via the GetProcAddress API.

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms of Use and Privacy Policy.