Full Report
A cyber espionage group known as Earth Ammit has been linked to two related but distinct campaigns from 2023 to 2024 targeting various entities in Taiwan and South Korea, including military, satellite, heavy industry, media, technology, software services, and healthcare sectors. Cybersecurity firm Trend Micro said the first wave, codenamed VENOM, mainly targeted software service providers, while
Analysis Summary
# Threat Actor: Earth Ammit
## Attribution & Identity
* **Identification:** Cyber espionage group assessed to be connected to Chinese-speaking nation-state groups.
* **Known Aliases/Associations:** TTPs resemble those used by another Chinese nation-state hacking group tracked as Dalbit (aka m00nlight), suggesting a shared toolkit.
## Activity Summary
Earth Ammit has been linked to two related campaigns between 2023 and 2024:
1. **VENOM Campaign:** Primarily targeted software service providers by exploiting web server vulnerabilities to establish initial access via web shells and deploy RATs for persistent access. The goal was to compromise the upstream segment of the drone supply chain to harvest credentials for the next phase.
2. **TIDRONE Campaign:** Targeted the military and satellite industries downstream from the VENOM victims. This campaign was notably focused on compromising drone manufacturers to distribute custom malware.
The overall strategy involves a two-phase approach: broad initial compromise using low-cost tools via supply chain attacks (VENOM), followed by targeted intrusions against high-value entities (TIDRONE).
## Tactics, Techniques & Procedures
- **Initial Access (VENOM):** Exploitation of web server vulnerabilities to drop web shells.
- **Supply Chain Compromise:** Penetrating upstream software service providers to inject malicious code and distribute malware to downstream customers, including leveraging ERP software.
- **Persistence/Evasion (TIDRONE):** Setting up persistence, escalating privileges, and disabling antivirus software.
- **Disabling Security:** Use of `TrueSightKiller` to disable AV software.
- **C2 Communication:** Use of trusted communication channels (remote monitoring/IT management tools) to distribute payloads.
- **Obfuscation:** Utilizing open-source tools like REVSOCK and Sliver to cloud attribution efforts.
- **Modular Malware:** CXCLNT uses a modular plugin system to dynamically retrieve additional capabilities from C2, obscuring its true purpose during static analysis.
## Targeting
* **Sectors:** Military, satellite, heavy industry, media, technology, software services, and healthcare sectors.
* **Geography:** Taiwan and South Korea.
* **Victims:** Software service providers (upstream), drone manufacturers, and organizations in the military and satellite industries (downstream).
## Tools & Infrastructure
* **Malware Families:**
* **Custom Malware:** CXCLNT (backdoor, active since 2022, uses modular plugin system), CLNTEND (successor to CXCLNT, detected in 2024 with expanded features).
* **Delivery/Backdoor:** VENFRPC (customized version of the open-source fast reverse proxy tool, FRPC).
* **RATs:** Remote Access Tools deployed post-initial access.
* **Utility Tools:** SCREENCAP (screenshot-capturing tool).
* **Infrastructure:**
* Open-source tools leveraged: REVSOCK, Sliver, FRPC.
* DLL loader used for C2 communication in TIDRONE.
## Implications
Earth Ammit represents a sophisticated, multi-stage cyber espionage threat leveraging supply chain access (VENOM) before pivoting to highly sensitive targets in defense and critical infrastructure (TIDRONE). Their tendency to use trusted enterprise software paths and custom versions of legitimate tools makes detection challenging. The connection to Dalbit/m00nlight suggests a shared, well-resourced pool of Chinese state-sponsored capabilities.
## Mitigations
- Harden web servers against known exploitation vectors to prevent initial web shell placement.
- Implement strict monitoring and segmentation around Enterprise Resource Planning (ERP) software, as it is being leveraged for lateral movement.
- Scrutinize all communications originating from trusted IT management/remote monitoring tools for signs of malicious payload distribution.
- Prioritize detection of custom reverse proxies and open-source tools being used in unexpected ways (e.g., Sliver, FRP variants).
- Actively monitor for evidence of customized tools targeting security products, such as those named `TrueSightKiller`.