Summary: Researchers have identified a threat actor named “TIDrone” that is targeting military and satellite-related supply chains, particularly focusing on drone manufacturers in Taiwan. This group employs advanced malware and sophisticated attack techniques to compromise their targets and evade detection.
Threat Actor: TIDrone | TIDrone
Victim: Military and satellite-related supply chains | military and satellite-related industries
Key Point :
- TIDrone is linked to other Chinese-speaking groups and utilizes ERP software and remote desktop tools for deploying proprietary malware.
- The group has been active since early 2024, with incidents reported primarily from Taiwan but targeting a variety of countries.
- Specialized tools like “CXCLNT” and “CLNTEND” are used for file management and remote access, respectively.
- Once compromised, TIDrone employs UAC bypass techniques, credential dumping, and hacktools to disable antivirus protections.
- The threat actors continuously update their methods, using anti-analysis techniques to avoid detection and optimize their attack chains.
A threat actor dubbed “TIDrone” by researchers is actively going after military- and satellite-related industrial supply chains, particularly drone manufacturers in Taiwan.
That’s according to Trend Micro, which linked TIDrone to other Chinese-speaking groups and noted that it uses enterprise resource planning (ERP) software or remote desktop tools to deploy advanced, proprietary malware.
“Since the beginning of 2024, we have been receiving incident response cases from Taiwan,” according to an analysis from the firm. “[However], telemetry from VirusTotal indicates that the targeted countries are varied; thus, everyone should stay vigilant of this threat.”
The specialized toolsets include “CXCLNT,” which can upload and download files, collect victim information such as file listings and computer names, and comes complete with stealth capabilities. Another weapon is “CLNTEND,” a remote access tool (RAT) first seen last April that supports a wide range of network protocols for communication.
Once TIDrone has compromised a target, it deploys user account control (UAC) bypass techniques, credential dumping, and hacktool usage to disable antivirus products, according to the analysis.
“The threat actors have consistently updated their arsenal and optimized the attack chain,” the researchers noted. “Notably, anti-analysis techniques are employed in their loaders, such as verifying the entry point address from the parent process and hooking widely used application programming interfaces (APIs) like GetProcAddress to alter the execution flow.”
Source: https://www.darkreading.com/ics-ot-security/tidrone-cyberattackers-taiwan-drone-manufacturers