Threat Research

Earth Ammit Disrupts Drone Supply Chains Through Coordinated Multi-Wave Attacks in Taiwan

TrendMicro
Earth Ammit Disrupts Drone Supply Chains Through Coordinated Multi-Wave Attacks in Taiwan
EXTRACT IOC
Earth Ammit, a Chinese-speaking threat actor, conducted two major supply chain attack campaigns—VENOM and TIDRONE—targeting upstream vendors in the drone supply chain and military sectors across Taiwan, South Korea, and other regions from 2023 to 2024. These campaigns employed evolving tradecraft including fiber-based evasion techniques and custom backdoors to infiltrate trusted networks, impacting organizations in military, satellite, heavy industry, technology, and healthcare sectors. #EarthAmmit #VENOM #TIDRONE #DroneSupplyChain #MilitaryIndustries

Keypoints

  • Earth Ammit executed two distinct campaigns: VENOM (2023–2024) targeting service providers and technology companies, and TIDRONE (2024) focusing on military and satellite sectors primarily in Taiwan and South Korea.
  • VENOM utilized mostly open-source tools for stealth and cost-effectiveness, while TIDRONE deployed custom-built malware like CXCLNT and CLNTEND backdoors with advanced fiber-based evasion techniques.
  • Both campaigns relied on supply chain attack strategies by compromising trusted vendors upstream to penetrate downstream high-value targets across various industries.
  • The TIDRONE infection chain involved initial access through malicious code injection, followed by command and control using multi-mode backdoors and post-exploitation activities like credential dumping and antivirus disabling.
  • Earth Ammit’s custom tools show tactics such as in-memory execution, plugin modularity, process injection, and multiple communication protocols to avoid detection and maintain persistence.
  • Anti-analysis techniques included entrypoint verification via GetModuleHandle, execution order dependency, and use of fiber-based APIs like ConvertThreadToFiber and FlsAlloc to evade monitoring.
  • Organizations are advised to implement third-party risk management, enforce code signing, monitor fiber-related API usage, adopt Zero Trust Architecture, and use AI-powered platforms like Trend Vision One for detection and mitigation.

MITRE Techniques

  • [T1078] Valid Accounts – Earth Ammit stole NTDS credentials to escalate access within victim environments (‘Once they had established persistence… targeted NTDS data from the victims’).
  • [T1059] Command and Scripting Interpreter – The backdoors executed shellcode and remote shell commands for post-exploitation (‘Receive shellcode from C&C server’, ‘commands are executed under winword.exe’).
  • [T1214] Signed Binary Proxy Execution – Use of legitimate Windows process (dllhost.exe) for process injection to evade detection (‘process injection into dllhost.exe’).
  • [T1480] Execution Guardrails – Use of anti-analysis techniques such as entrypoint verification via GetModuleHandle and XOR checks to block improper execution (‘Anti-analysis through checking the expected parent process’).
  • [T1129] Execution through Module Load – Loading custom plugins dynamically from C&C by CXCLNT and CLNTEND backdoors to extend capabilities (‘retrieves additional plugins from its C&C server’).
  • [T1562] Impair Defenses – Disabling antivirus and EDR processes using tools like TrueSightKiller (‘TrueSightKiller… terminate antivirus and endpoint detection and response processes’).
  • [T1211] Exploitation for Defense Evasion – Fiber-based techniques (ConvertThreadToFiber, FlsAlloc) used to evade monitoring and detection (‘fiber-based technique in the loader with variant A/B’).
  • [T1071] Application Layer Protocol – Communication over HTTP, HTTPS, SMB, TCP, TLS, UDP, and WebSocket by backdoors to blend in with legitimate traffic (‘supports two traffic parsing methods: a custom protocol over SSL and standard HTTPS’).

Indicators of Compromise

  • [File Hashes] Customized malware and tools – examples include VENFRPC (open-source proxy tool with embedded victim configs), CXCLNT, CLNTEND DLL backdoors, and SCREENCAP screenshot tool associated with Earth Ammit campaigns.
  • [Domains] Command and Control infrastructure – notable domain fuckeveryday[.]life used in both VENOM and TIDRONE campaigns.
  • [File Names] Malicious tools observed include winsrv.exe, main.exe (screenshot tool), TrueSightKiller.exe (antivirus killer), procdump.exe and procwin.exe (credential dumping).
  • [API Usage] Fiber-related Windows API calls – ConvertThreadToFiber, CreateFiber, FlsAlloc used to execute malicious payloads stealthily.
  • [Network Protocols] Communication methods including HTTP, HTTPS, SSL with custom protocol, SMB over port 445, TCP, TLS, UDP, and WebSocket for command and control traffic.

Read more: https://www.trendmicro.com/en_us/research/25/e/earth-ammit.html

Views: 23

Tags: INITIAL ACCESS, CREDENTIAL, RECONNAISSANCE, HUNT, BACKDOOR, HEALTHCARE, WINDOWS, HUNTING