Chinese hackers use a new stealthy backdoor to target Taiwanese banks

Short News:- 

Taiwanese financial institutions have been targeted by a Chinese advanced persistent threat (APT) group as part of a "persistent campaign" that has lasted at least 18 months, according to the government. The intrusions, the primary goal of which was espionage, resulted in the deployment of a backdoor known as xPack, which provided the adversary with extensive control over the compromised machines. As a result of malicious cyber activities mounted by threat actors tracked as Tropic Trooper and Earth Lusca against the Taiwanese government, healthcare, transportation, and educational institutions in recent months, the findings add to a growing list of China-linked nation-state groups that have targeted the country.

Detailed News:- 

As part of a "persistent campaign" lasting at least 18 months, a Chinese advanced persistent threat (APT) group has been targeting Taiwanese financial institutions.

According to a report published last week by Symantec, which is owned by Broadcom, espionage was the primary goal of the intrusions. The backdoor xPack was installed on compromised machines, giving the adversary complete control over them.

One of the most notable aspects of this campaign is how long the threat actor lingered on the victim networks, giving the operators ample time to conduct detailed reconnaissance and exfiltrate potentially sensitive information about business contacts and investments without raising any alarms.

Attackers spent nearly 250 days in one of the unnamed financial organizations between December 2020 and August 2021, while a manufacturing company had its network under their watch for about 175 days.

The antlion is suspected of exploiting a web application flaw to gain a foothold and drop the xPack custom backdoor, which is used to execute system commands, drop subsequent malware and tools, and stage data for exfiltration.

Aside from custom C++ loaders, the threat actor also used legitimate off-the-shelf tools like AnyDesk and living-off-theland (LotL) techniques to gain remote access, dump credentials, and execute arbitrary commands.

Since at least 2011, Antlion is believed to have been involved in espionage activities, and this recent activity shows that it is still an actor to be aware of more than 10 years after it first appeared," the researchers stated.

The findings add to a growing list of nation-state groups with ties to China that have targeted Taiwan in recent months, with malicious cyber activities mounted by threat actors tracked as Tropic Trooper and Earth Lusca attacking the government, healthcare, transportation, and educational institutions in the country.