TIDRONE Targets Military and Satellite Industries in Taiwan

Introduction

A threat cluster we named TIDRONE, possibly linked to Chinese-speaking groups, has been actively targeting Taiwan's military-related industries, particularly drone manufacturers. The group uses advanced malware, including CXCLNT and CLNTEND, to conduct espionage activities. These malware variants, deployed through ERP software and remote desktop services, can steal sensitive data and conduct post-exploitation attacks.

Since early 2024, our team has investigated multiple incident reports from Taiwan, revealing a sophisticated, unidentified threat cluster called TIDRONE. These attackers have focused primarily on military-related industries, including drone manufacturers, using a range of advanced malware toolsets. Based on telemetry data from VirusTotal, this group's interests extend beyond Taiwan, highlighting a broader concern for industries globally.

Report Overview

TIDRONE has been observed leveraging enterprise resource planning (ERP) systems or remote desktop solutions to deploy their malware. The malware includes CXCLNT, which is capable of uploading/downloading files and clearing traces, and CLNTEND, a remote access tool (RAT) with wide-ranging communication protocols. Both toolsets have evolved, with attackers frequently updating their capabilities and refining anti-analysis techniques to avoid detection.

The main tools observed in this campaign, CXCLNT and CLNTEND, were delivered via a supply chain attack involving legitimate software such as UltraVNC, a tool for remote desktop access. The initial infection likely occurred some time ago, followed by lateral movement within targeted systems. The attackers utilized legitimate executables to side-load malware into compromised environments.

CXCLNT is information-stealing malware that gathers details such as file listings, system names, and network architecture. CLNTEND, on the other hand, is a more sophisticated RAT that supports a variety of network protocols (TCP, HTTP, HTTPS, TLS, and SMB) for remote control. The attack chain frequently involved bypassing User Account Control (UAC), credential dumping, and the use of hacking tools to turn off antivirus software.

In the post-exploitation phase, TIDRONE attackers employed UAC bypass techniques and credential-dumping tools to escalate privileges. Command-line execution of processes such as winsrv.exe was observed, which allowed the malware to copy security tokens and further entrench itself within the system.

Insights and Analysis

TIDRONE's campaign demonstrates the evolution of advanced persistent threats (APTs) targeting critical industries, particularly in geopolitically sensitive regions. Their use of malware like CXCLNT and CLNTEND shows an advanced understanding of security mechanisms, allowing them to avoid detection while maintaining persistence in compromised systems.

In their investigation, TIDRONE has shown itself as a competent threat actor focusing on espionage, particularly within Taiwan's military-related industries. The group uses sophisticated malware to steal sensitive information and maintain long-term access to compromised systems. To mitigate the risks posed by TIDRONE, organizations should:

1. Download software only from trusted sources.
2. Be cautious of social engineering tactics that could serve as attack entry points.
3. Employ advanced anti-malware tools to detect and stop early signs of compromise.

Indicators of Compromise (IOCs)

MITRE ATT&CK Techniques

References

TIDRONE Targets Military and Satellite Industries in Taiwan

Our research reveals that an unidentified threat cluster we named TIDRONE have shown significant interest in military-related industry chains, particularly in the manufacturers of drones.

Trend MicroContact Us