Antlion: Chinese APT Uses Custom Backdoor to Target Financial Institutions in Taiwan

MITRE Techniques

• [T1190] Exploit Public-Facing Application – The infection vector was likely exploitation of a web application or service. “The most likely infection vector was exploitation of a web application or service.”
• [T1059.001] PowerShell – Living-off-the-land usage for various commands and data collection. “living-off-the-land tools such as PowerShell, WMIC, ProcDump, LSASS, and PsExec.”
• [T1047] Windows Management Instrumentation – WMIC was used to execute commands and collect information. “WMIC was used to execute two commands.”
• [T1059.003] Command Shell – Command prompt usage to execute commands (e.g., ” “;cmd”; /K CHCP 950″).
• [T1003] Credential Dumping – Dumping credentials via registry and LSASS, enabling lateral movement. “Five minutes after those commands were issued, WMIC was used to dump credentials” and “reg save HKLMSAM …”
• [T1550.003] Kerberos Golden Ticket – Kerberos-based privilege escalation using Mimikatz. “Kerberos golden ticket tool based on Mimikatz.”
• [T1021.002] Remote Services – Use of SMB/shares to transfer/download malicious files and move laterally. “download malicious files via SMB shares” and “SMB session enumeration.”
• [T1041] Exfiltration – Data exfiltration via BitsTransfer and WinRAR-based archives. “BitsTransfer module to initiate an upload” and “Legitimate WinRAR appear to have been exploited.”
• [T1560] Data Staged – Data staged for exfiltration before actual transfer. “data was likely staged for further exfiltration.”
• [T1053.005] Scheduled Task – Remote scheduled tasks to execute the backdoor. “remote scheduled tasks to execute their backdoor.”
• [T1068] Privilege Escalation – Elevation-of-privilege exploitation (CVE-2019-1458). “CVE-2019-1458 is an elevation-of-privilege vulnerability.”