CyberSecurity news
FlagThis
info@thehackernews.com (The@The Hacker News
//
A cyber espionage group known as Earth Ammit, believed to be linked to Chinese APT groups, has been actively targeting organizations in Taiwan and South Korea through coordinated multi-wave attacks. These campaigns, dubbed VENOM and TIDRONE, were conducted from 2023 to 2024 and aimed to disrupt the drone supply chain by compromising trusted networks. Victims spanned various sectors, including military, satellite, heavy industry, media, technology, software services, and healthcare, highlighting the group's broad targeting scope. The attacks demonstrate Earth Ammit's long-term goal to compromise trusted networks via supply chain attacks, allowing them to target high-value entities downstream and amplify their reach, potentially leading to data theft and exfiltration of credentials.
The VENOM campaign focused on penetrating the upstream segment of the drone supply chain. Attackers exploited web server vulnerabilities to deploy web shells and used open-source tools like REVSOCK and Sliver in an attempt to avoid attribution. The only custom malware observed in VENOM was VENFRPC, a customized version of FRPC, which is a modified version of the open-source fast reverse proxy tool. The goal was to harvest credentials and use them as a stepping stone for the TIDRONE campaign, which targeted downstream customers.
The TIDRONE campaign involved multiple stages, mirroring the VENOM campaign by targeting service providers to inject malicious code and distribute malware to downstream customers. Custom-built tools like CXCLNT and CLNTEND backdoors were used for cyber espionage purposes. Post-exploitation activities included establishing persistence, escalating privileges, disabling antivirus software, and installing screenshot capturing tools. Trend Micro researchers have provided detections and blocking mechanisms via Trend Vision One™ and offer hunting queries and threat intelligence reports to help organizations defend against Earth Ammit's tactics.
ImgSrc: blogger.googleu
References :
The VENOM campaign focused on penetrating the upstream segment of the drone supply chain. Attackers exploited web server vulnerabilities to deploy web shells and used open-source tools like REVSOCK and Sliver in an attempt to avoid attribution. The only custom malware observed in VENOM was VENFRPC, a customized version of FRPC, which is a modified version of the open-source fast reverse proxy tool. The goal was to harvest credentials and use them as a stepping stone for the TIDRONE campaign, which targeted downstream customers.
The TIDRONE campaign involved multiple stages, mirroring the VENOM campaign by targeting service providers to inject malicious code and distribute malware to downstream customers. Custom-built tools like CXCLNT and CLNTEND backdoors were used for cyber espionage purposes. Post-exploitation activities included establishing persistence, escalating privileges, disabling antivirus software, and installing screenshot capturing tools. Trend Micro researchers have provided detections and blocking mechanisms via Trend Vision One™ and offer hunting queries and threat intelligence reports to help organizations defend against Earth Ammit's tactics.
ImgSrc: blogger.googleu
Share:
References :
- Virus Bulletin: Trend Micro's Pierre Lee, Vickie Su & Philip Chen discuss the evolving tradecraft of threat actor Earth Ammit, proven by the advanced toolset used in its TIDRONE and VENOM campaigns that targeted the drone supply chain.
- www.trendmicro.com: Trendâ„¢ Research discusses the evolving tradecraft of threat actor Earth Ammit, proven by the advanced toolset used in its TIDRONE and VENOM campaigns that targeted the drone supply chain.
- The Hacker News: A cyber espionage group known as Earth Ammit has been linked to two related but distinct campaigns from 2023 to 2024 targeting various entities in Taiwan and South Korea, including military, satellite, heavy industry, media, technology, software services, and healthcare sectors.
- Industrial Cyber: Earth Ammit espionage campaign targets government, critical infrastructure with novel tools
- industrialcyber.co: Earth Ammit espionage campaign targets government, critical infrastructure with novel tools
Classification:
- HashTags: #CyberEspionage #SupplyChainSecurity #EarthAmmit
- Company: Trend Micro
- Target: Taiwan, South Korea
- Attacker: Earth Ammit
- Product: TIDRONE and VENOM
- Feature: tradecraft
- Malware: VENOM, TIDRONE
- Type: Espionage
- Severity: Major