A Chinese advanced persistent threat (APT) group has been conducting a sustained espionage campaign against Taiwanese financial institutions over the past 18 months. According to a report released by Broadcom’s Symantec, these intrusions have heavily relied on a backdoor known as xPack, which has provided the attackers significant control over the compromised systems.
What sets this campaign apart is the extensive duration of time the threat actors maintained access to victim networks. This prolonged presence allowed the operatives to carry out in-depth reconnaissance and extract sensitive information related to business operations without triggering any alarms. In one such instance involving a financial entity, attackers remained undetected for nearly 250 days, while a manufacturing organization was surveilled for approximately 175 days.
The initial method of breach has not been definitively identified; however, indications suggest that the group, known as Antlion, may have exploited a vulnerability in a web application to infiltrate its targets. Following this intrusion, the xPack backdoor was deployed to enable system command execution, facilitate the installation of additional malware, and prepare data for extraction.
Furthermore, the threat actors employed custom C++ loaders alongside a range of legitimate tools such as AnyDesk, in conjunction with living-off-the-land (LotL) strategies. These techniques enable attackers to access systems remotely, harvest credentials, and execute arbitrary commands, further illustrating their sophisticated operational capabilities.
Antlion has a history of espionage activities dating back to at least 2011. The recent operations underscore its continued relevance in cyber threats, reaffirming the importance for organizations to remain vigilant. As this group persists, businesses must prioritize robust cybersecurity measures.
The findings from this investigation contribute to a growing body of evidence regarding China-linked state-sponsored threat groups targeting Taiwan. This escalation forms part of broader malicious cyber activities conducted by other entities, such as Tropic Trooper and Earth Lusca, which have targeted various sectors including government and healthcare in the nation.
In the context of the MITRE ATT&CK framework, the tactics and techniques likely employed by Antlion in these attacks include initial access through application exploitation, persistence via the xPack backdoor, and data exfiltration strategies. Understanding these tactics is essential for businesses aiming to fortify their defenses against potential breaches.
