State Hackers’ New Malware Helped Them Go Undetected for 250 Days


A Chinese state-backed APT actor tracked as “Antlion” is using a new custom backdoor called “xPack” against financial organizations and manufacturing companies.

The malware was used in a campaign against targets in Taiwan that researchers say spanned more than 18 months, between 2020 and 2021, allowing adversaries to conduct stealthy cyber espionage operations.

According to a report by Symantec, a Broadcom company, shared with BleepingComputer, xPack allowed attackers to run WMI commands remotely, exploit EternalBlue exploits, and mount shares over SMB to provide data to the command server and control (C2).

In the network for 250 days

Details of an attack show that the threat actor spent 175 days on the compromised network. However, Symantec researchers analyzing two other attacks determined that the adversary went undetected on the network for 250 days.

The use of custom malware unknown to threat analysts played a key role in achieving this level of stealth.

xPack is a .NET loader that fetches and runs AES-encrypted payloads, while also being able to run system commands and prepare data for exfiltration.

Symantec also spotted the following custom tools that accompanied xPack in this campaign:

  • EHAGBPSL – Custom C++ loader
  • JpgRun – Custom C++ loader
  • Control ID – Custom C++ loader based on a similar tool used by the BlackHole RAT
  • NetSessionEnum – Custom SMB session enumeration tool
  • MMC ENCODER – Custom linked/reverse file transfer tool
  • Kerberos golden ticket tool based on Mimikatz credential stealer

Antlion also used various out-of-the-box and living-off-the-earth (LoL) tools in combination with the above to achieve full operational capability without raising security flags.

Tools such as PowerShell, WMIC, ProcDump, LSASS, and PsExec were common in this campaign, leaving crumbs of evidence that blend easily with ordinary operating system functions.

Finally, actors were also observed leveraging CVE-2019-1458 for privilege escalation and remote scheduling which helped execute the backdoor.

This vulnerability was recently included in CISA’s list of actively exploited vulnerabilities, so it is still an attractive avenue for several adversaries.

“There is also evidence that the attackers likely automated the data collection process through batch scripts, while there is also evidence of cases where the data was likely staged for further exfiltration, although they have not actually been observed exfiltrated from the network”, explains Symantec.

“In these cases, it appears the attackers were interested in gathering information from software regarding business contacts, investments, and smart card readers.”

In attacks dissected by Symantec analysts, xPack was first used to gather basic system information and running processes, then to dump credentials.

Then the actors returned periodically and again launched xPack to steal the account credentials of several machines in the compromised organizations.

Antlion always active and dangerous

Antlion is believed to have been involved in cyber espionage activities since at least 2011, so it’s an actor that has remained a threat to organizations for over a decade now.

Its interest in targeting Taiwanese companies has political overtones and is part of the operational strategy of most Chinese state-sponsored groups.

As detailed in Symantec’s report, the particular campaign focused on flushing credentials from compromised systems and then using them to move laterally.

It is possible that Antlion shared these credentials with other Chinese hacker groups that had a different operational purpose, as it is common for actors working for the same state to collaborate.

Previous Cyber ​​Security Today, February 2, 2022 – Critical firmware bugs found in products from major computer manufacturers
Next Latest Variant of COVID-19 Creates Serious Problems for Healthcare Systems and Patients