September 8, 2024 at 09:02PM
Researchers have identified a threat actor named “TIDrone” targeting military and satellite supply chains, specifically drone manufacturers in Taiwan. Trend Micro has linked TIDrone to Chinese-speaking groups, using ERP software and remote desktop tools to deploy advanced malware. The actor utilizes specialized toolsets including “CXCLNT” and “CLNTEND” to compromise targets and bypass security measures.
Based on the meeting notes, it is clear that a threat actor known as “TIDrone” is actively targeting military- and satellite-related industrial supply chains, particularly drone manufacturers in Taiwan. Trend Micro has linked TIDrone to Chinese-speaking groups and highlighted its use of enterprise resource planning (ERP) software or remote desktop tools to deploy advanced, proprietary malware.
The analysis from Trend Micro indicates that the threat has been targeting Taiwan since the beginning of 2024, but telemetry from VirusTotal suggests that the targeted countries are varied, warranting vigilance from all parties.
Specific toolsets employed by TIDrone include “CXCLNT,” which has capabilities for file upload and download, information collection, and stealth features, as well as “CLNTEND,” a remote access tool (RAT) supporting various network protocols for communication.
Once a target is compromised, TIDrone deploys techniques such as user account control (UAC) bypass, credential dumping, and hacktool usage to disable antivirus products. The threat actors have continually updated their arsenal and optimized the attack chain, employing anti-analysis techniques in their loaders, such as manipulating widely used APIs like GetProcAddress.