September 10, 2024 at 08:15AM
A threat actor linked to China, known as Tidrone, has targeted military-related and satellite industries in Taiwan and focused on drone manufacturers. Using sophisticated malware, backdoors, and legitimate remote control tools, the group aims to disable system protections, steal information, and engage in espionage-related activities. These activities bear similarities to Chinese espionage-related activities.
Based on the meeting notes, the key takeaways are:
– A threat actor known as Tidrone, linked to China, has been targeting military-related and satellite industries in Taiwan. Trend Micro has observed that the group has focused particularly on drone manufacturers and has used sophisticated malware to disable system protections and steal information.
– Tidrone has utilized the ERP software and remote desktop access to deploy its malware, including two backdoors, Cxclnt/Clntend, both deployed using UltraVNC, a legitimate tool for remote control.
– The threat actor has been observed using loaders to deploy its backdoors in memory and has updated the deployment technique between the two by merging two payloads into one.
– Tidrone prefers C&C server domains with misquoted names to mislead investigations into network infrastructure. The cybersecurity firm suggests that the similarities with Chinese espionage-related activities indicate that Tidrone is a yet unidentified Chinese-speaking threat group engaging in targeted attacks with an espionage motive.
– There have been related incidents and activities involving Chinese hackers targeting various regions and industries, which raises concerns about Chinese cyber activities and espionage.
These takeaways highlight the significant and ongoing nature of the cyber threats from Tidrone and the broader concerns around Chinese cyber activities and espionage.