Full Report
AhnLab SEcurity intelligence Center (ASEC) has recently identified that the TIDRONE threat actor is launching attacks against companies. In the attack cases, Enterprise Resource Planning (ERP) software was exploited to install a backdoor malware called CLNTEND. TIDRONE is a threat group known for targeting Taiwanese defense companies and drone manufacturers. Trend Micro first reported […] 게시물 Analysis on the Case of TIDRONE Threat Actor’s Attacks on Korean Companies이 ASEC에 처음 등장했습니다.
Analysis Summary
# Threat Actor: TIDRONE
## Attribution & Identity
TIDRONE is a threat group known to be associated with a threat group that uses Chinese. Trend Micro first reported on TIDRONE in September 2024.
## Activity Summary
TIDRONE is actively launching attacks targeting the installation and exploitation of Enterprise Resource Planning (ERP) software to deploy backdoors. Initial attacks (first half of 2024) focused on exploiting ERP software and UltraVNC to install the CLNTEND malware against Korean companies. Since July 2024, the group has shifted to exploiting Korean ERP software, often targeting versions developed by small-sized companies with limited user bases. The group has distributed different versions of malware tailored to specific clients, sometimes replacing a legitimate ERP version with a dropper that installs both the ERP and the CLNTEND malware.
## Tactics, Techniques & Procedures
- **Exploitation of Vulnerabilities:** Exploiting ERP software and UltraVNC (remote desktop software).
- **DLL Side-Loading:** Utilizing DLL side-loading techniques, often involving `winword.exe` and common Windows/vendor executables (`winword.exe`, `VsGraphicsDesktopEngine.exe`, `rc.exe`).
- **Loader Mechanisms:** Using various loader malware to hinder analysis, including overwriting the Fiber structure.
- **Memory Decryption:** Employing techniques like using `FlsCallback` to decrypt encrypted data files in memory.
- **Malware Chain:** Distributing a chain of malware components: Loader, encrypted data, and Launcher, which ultimately executes the RAT.
## Targeting
- **Sectors:** Defense companies, drone manufacturers, and general companies utilizing specialized ERP systems.
- **Geography:** Primarily Taiwan (historically) and South Korea (recent activity in 2024).
- **Victims:** Taiwanese defense/drone companies, and Korean companies using targeted ERP software suspected to be custom-developed by small firms.
## Tools & Infrastructure
- **Malware families used:**
- **CLNTEND:** A Remote Access Trojan (RAT) supporting various protocols (TCP (Raw Socket, Web Socket), TLS, HTTP, HTTPS, SMB).
- **CXCLNT:** Another backdoor malware previously reported alongside CLNTEND.
- Various proprietary Loader, encrypted data, and Launcher malware used to deploy the payload.
- **Infrastructure (C2, domains, IPs):**
- ac\[.\]metyp9\[.\]com
- server\[.\]microsoftsvc\[.\]com
## Implications
TIDRONE demonstrates adaptability by shifting focus from established Taiwanese defense/drone targets to the often less-secure, custom ERP systems used by Korean companies. The use of DLL side-loading and custom loaders points towards an intent to evade detection and complicate incident response. The continued development of custom RATs like CLNTEND suggests sustained espionage or information-gathering objectives against targeted sectors.
## Mitigations
- Implement robust security product monitoring and ensure V3 (Antivirus) software is updated to the latest version to detect known malware signatures.
- Scrutinize software updates and installations originating from third-party or custom-developed ERP systems, especially when installed by small-sized third-party vendors.
- Monitor for anomalous process behavior associated with legitimate executables (like `winword.exe`, `rc.exe`, or vendor executables) attempting to load suspicious DLLs (e.g., `wwlib.dll`, `rcdll.dll`).
- Review network traffic for unexpected communications over various protocols (TCP, TLS, SMB) originating from endpoint processes not generally expected to communicate externally.