Threat Research

TIDRONE Focuses on Taiwan’s Military and Satellite Sectors

TrendMicro

An unidentified threat cluster named TIDRONE targets Taiwan’s military-related and drone-manufacturing sectors, deploying advanced malware CXCLNT and CLNTEND and using techniques such as UAC bypass, credential dumping, and antivirus evasion. The activity appears espionage-driven, with possible supply-chain delivery and anti-analysis measures to avoid detection. #TIDRONE #CXCLNT #CLNTEND #Taiwan #Drones #ERP

Keypoints

  • TIDRONE focuses on military-related industries in Taiwan, especially drone manufacturers.
  • Malware toolsets CXCLNT and CLNTEND are deployed via ERP software or remote desktops.
  • CXCLNT features include file upload/download, trace clearing, victim information collection, and loading additional PE files.
  • CLNTEND is a remote access tool supporting multiple network protocols for maintaining access.
  • Post-exploitation activities include UAC bypass, credential dumping, and hacktool usage to disable antivirus; loaders employ anti-analysis techniques.
  • Malware distribution may occur through supply-chain or compromised ERP systems, with espionage motives inferred.

MITRE Techniques

  • [T1003] Credential Dumping – Used to collect sensitive information such as user credentials. ‘Used to collect sensitive information such as user credentials.’
  • [T1088] UAC Bypass – Techniques employed to bypass User Account Control for privilege escalation. ‘Techniques employed to bypass User Account Control for privilege escalation.’
  • [T1219] Remote Access Tools – Utilizes CLNTEND for remote access to compromised systems. ‘Utilizes CLNTEND for remote access to compromised systems.’
  • [T1203] Malware – Deployment of CXCLNT and CLNTEND as malware variants. ‘Deployment of CXCLNT and CLNTEND as malware variants.’
  • [T1195] Supply Chain Compromise – Malware may be distributed through compromised ERP systems. ‘Malware may be distributed through compromised ERP systems.’

Indicators of Compromise

  • [File] Hashes associated with CXCLNT/CLNTEND samples – f13869390dda83d40960d4f8a6b438c5c4cd31b4d25def7726c2809ddc573dc7, e366f0209a939503418f2b7befbd60b79609b7298fed9c2fbafcb0e7fde19740, and 11 more hashes
  • [Network] C2 domains observed – bestadll.fghytr.com, client.wns.windowswns.com, server.microsoftsvc.com, and 2 more domains (service.symantecsecuritycloud.com, time.vmwaresync.com)

Read more: https://www.trendmicro.com/en_us/research/24/i/tidrone-targets-military-and-satellite-industries-in-taiwan.html