A Chinese APT actor known as ‘Antlion’ has been targeting banking and manufacturing businesses with a new proprietary backdoor known as ‘xPack.’
The malware was deployed in a campaign against targets in Taiwan that lasted more than 18 months, between 2020 and 2021, allowing the adversaries to conduct stealthy cyber-espionage activities.According to a study from Symantec, a Broadcom company, xPack lets attackers conduct WMI commands remotely, exploit EternalBlue vulnerabilities, and mount shares through SMB to send data to the command and control (C2) server. As per details of one attack, the threat actor stayed on the compromised network for 175 days. However, after studying two prior attacks, experts from Symantec discovered that the attacker stayed unnoticed on the network for up to 250 days.
This degree of stealthiness was partly achieved by using bespoke malware that was unknown to threat experts. xPack is a.NET loader that can collect and execute AES-encrypted payloads, as well as system instructions and data staging for exfiltration. Symantec also discovered the following proprietary tools that were used in conjunction with xPack during this campaign:
EHAGBPSL – Custom C++ loader
JpgRun – Custom C++ loader
CheckID – Custom C++ loader based on a similar tool used by the BlackHole RAT
NetSessionEnum – Custom SMB session enumeration tool
ENCODE MMC – Custom bind/reverse file transfer tool
Kerberos golden ticket tool based on the Mimikatz credentials stealer
Antlion combined the preceding with different off-the-shelf and living-off-the-land (LoL) tools to reach complete operating capabilities without raising security concerns. In this campaign, tools including PowerShell, WMIC, ProcDump, LSASS, and PsExec were widely used, leaving crumbs of evidence that readily blended in with normal operating system processes. Finally, the actors were seen using CVE-2019-1458 for privilege escalation and remote scheduling, which aided in executing the backdoor.
“There is also evidence that the attackers likely automated the data collection process via batch scripts, while there is also evidence of instances where data was likely staged for further exfiltration, though it was not actually observed being exfiltrated from the network,” explains Symantec. “In these instances, it appears the attackers were interested in collecting information from software pertaining to business contacts, investments, and smart card readers.”
xPack was initially used to capture basic system information and running processes in the attacks examined by Symantec’s experts and later for dumping credentials. Following that, the actors returned regularly and used xPack to grab account credentials from several workstations in the targeted businesses.