Summary :
AhnLab SEcurity Intelligence Center has reported that the TIDRONE threat actor is targeting companies by exploiting ERP software to install the CLNTEND backdoor malware. This group is known for its attacks on Taiwanese defense companies and has recently expanded its efforts in South Korea. Users are advised to update their security measures to prevent infections. #TIDRONE #CLNTEND #CyberSecurity
Keypoints :
- TIDRONE exploits ERP software to install CLNTEND malware.
- The group targets Taiwanese defense companies and has expanded to South Korea.
- DLL side-loading techniques are used for malware distribution.
- CLNTEND supports various communication protocols, including TCP and HTTP.
MITRE Techniques :
- Execution through DLL Side-Loading (T1073): Uses DLL side-loading techniques to execute malicious code.
- Remote Access Tools (T1219): Utilizes CLNTEND as a Remote Access Tool for maintaining control over compromised systems.
Indicator of Compromise :
- [domain] ac[.]metyp9[.]com
- [domain] server[.]microsoftsvc[.]com
- [file hash] 11529c342d150647a020145da873ea98
- [file hash] 127c722bf973d850ee085ab863257692
- [file hash] 26ff6fac8ac83ece36b95442f5bb81ce
- [file hash] 30c0796aa5d7ba9ea3790a0210ec9840
- [file hash] 314f239e2ba3fbf6b9e6b4f13ee043e7
AhnLab SEcurity intelligence Center (ASEC) has recently identified that the TIDRONE threat actor is launching attacks against companies. In the attack cases, Enterprise Resource Planning (ERP) software was exploited to install a backdoor malware called CLNTEND.
TIDRONE is a threat group known for targeting Taiwanese defense companies and drone manufacturers. Trend Micro first reported on TIDRONE in September 2024. [1] TIDRONE, which is known to be associated with a threat group that uses Chinese, targets multiple countries in addition to Taiwan. The group installs a backdoor malware called CXCLNT and CLNTEND by exploiting Enterprise Resource Planning (ERP) software and UltraVNC, a remote desktop software.
AhnLab SEcurity intelligence Center (ASEC) has confirmed that the CLNTEND malware was used in attacks against Korean companies in the first half of 2024. Since July 2024, the group has also been exploiting Korean ERP software. Given that the official websites of these ERP software are not available and they have a limited number of users, it is likely that the software is developed by small-sized companies and distributed to a few Korean companies.
Figure 1. CLNTEND Installed with ERP
1. Attack Vector
The distribution method of the attack identified in the first half of 2024 has not been confirmed. However, it is known that the attack used DLL side-loading, similar to the report by TrendMicro, with “winword.exe”. From July 2024, there have been two main types of cases where malware was distributed through ERP.
The first type seems to be an ERP related to small-scale development companies in Korea. The developer is assumed to customize and provide the ERP for each client. The legitimate ERPs from this company, which are identified on AhnLab Smart Defense (ASD), are about 20 MB in size. On the other hand, all the malware samples used in attacks are about 4 MB in size.
Figure 2. Cases of attacks exploiting ERP
Although the malware directly distributed by the threat actor was not collected, the “VsGraphicsDesktopEngine.exe” created by this malware is a legitimate program used in another DLL side-loading, which will be covered later. The following paths have a common point where TIDRONE’s loader malware are found.
| %ProgramFiles%microsoft officewwlib.dll %SystemDrive%3dpeditionwwlib.dll %ProgramFiles%intelintel(r) serial iolanghr-hrwwlib.dll |
The second type is the case where the distribution of actual malware was confirmed. This is another case involving the ERP of a Korean company, and like the first case, there is no official website for this type. Similar to the first case, the threat actor uploaded different versions of the malware to different clients. While one client received a legitimate version of the ERP, the malware was later switched to a dropper that installed both the ERP and CLNTEND.
Figure 3. CLNTEND downloaded from the ERP distribution server
2. Analyzing Malware
The malware installed through the above attack consists of a legitimate executable, a DLL responsible for loading, and an encrypted CLNTEND. After distribution, the executable file that was distributed is executed. The legitimate executable loads the malicious DLL that was distributed in the same path through DLL side-loading and ultimately decrypts and executes another file in the memory.
Figure 4. Process flow
The most exploited executable files are Microsoft Word and VsGraphicsDesktopEngine.exe, and recently, rc.exe has been exploited.
| Executable File | DLL Name | Data File Name |
|---|---|---|
| winword.exe | wwlib.dll | gimaqkwo.iqq |
| VsGraphicsDesktopEngine.exe | vsgraphicsproxystub.dll | opt.dat |
| rc.exe | rcdll.dll | wctE5ED.tmp |
| N/A | jli.dll | cxufejc.abu thaxdle.fxm |
| N/A | iviewers.dll | opt.dat tmplog |
Table 1. DLL Side-Loading
Various loader malware are used in the attack process, and threat actors have created various types of loaders to hinder analysis. The loader covered by Trend Micro uses a technique of overwriting the Fiber structure to hinder analysis. The recent malware also uses obfuscation techniques, and it is characterized by using FlsCallback to decrypt an encrypted data file “wctE5ED.tmp”.
Figure 5. Decryption routine using FlsCallback
CLNTEND is a RAT malware. According to the report by Trend Micro, it has been used in attacks along with CXCLNT. CLNTEND is known for supporting various communication protocols such as TCP (Raw Socket, Web Socket), TLS, HTTP, HTTPS, and SMB, unlike CXCLNT.
Figure 6. Class name of CLNTEND
Threat actors also distributed Loader, encrypted data, and Launcher malware. It is responsible for executing files in a specific path. However, the hard-coded path names allow the installation path and file name of the malware to be estimated.
| Type | Execution Path |
|---|---|
| Type A | C:AMDChipset_SoftWareVsGraphicsDesktopEnginese.exe |
| Type B | C:NVIDIADisplayDriverrc.exe C:NVIDIAnForceWin7Vista64Intrc.exe C:NVIDIAGLCacherc.exe C:AMDChipset_Softwarerc.exe |
| Type C | C:ProgramDataMicrosoft OneDrivesetupnir.exe” exec hide cdb.exe -pd -cf “C:ProgramDataMicrosoft OneDrivesetupdbglog.dat” dllhost |
| Type D | C:/******/*****/Application/de/oleview.exe |
Table 2. Execution paths of Launcher
3. Conclusion
The activities of the TIDRONE threat actor, known for attacking defense companies in Taiwan, are continuously being identified in South Korea. The recently identified attack cases involve the exploitation of ERPs that are suspected to have been created by a small development company.
Users must control access from threat actors by using security products. Also, V3 should be updated to the latest version so that malware infection can be prevented.
File Detection
– Trojan/Win.Loader.R679179 (2024.11.11.00)
– Trojan/Win.Loader.R679207 (2024.11.11.00)
– Trojan/Win.Loader.R681991 (2024.11.16.03)
– Trojan/Win.Agent.C5628462 (2024.05.31.02)
– Trojan/Win.Loader.C5666988 (2024.09.08.03)
– Trojan/Win.Launcher.C5666991 (2024.09.08.03)
– Trojan/Win.Loader.C5666994 (2024.09.10.00)
– Dropper/Win.Agent.C5692128 (2024.11.10.03)
– Trojan/Win.Launcher.C5692134 (2024.11.11.00)
– Trojan/Win.Loader.C5692141 (2024.11.11.00)
– Data/BIN.EncPe (2024.11.11.03)
– Data/BIN.Shellcode (2024.05.29.02)
Full Research: https://asec.ahnlab.com/en/85119/