The Cyberspy Group, known as Earth Amit, is linked to two related but clear campaigns from 2023 to 2024, covering a variety of entities in Taiwan and South Korea, including the military, satellite, heavy industry, media, technology, software services and healthcare sectors.
Cybersecurity company Trend Micro has picked out the military industry, codenamed Venom, the first wave, primarily a targeted software service provider, while the second wave, known as Tidrone. Earth Amit is rated as being connected to a Chinese-speaking nation-state group.
“In the Venom Campaign, Earth Amit’s approach included penetrating upstream segments of the drone supply chain,” said security researchers Pierre Lee, Vicki Sue and Philippe Chen. “The long-term goal of Earth Amit is to compromise trustworthy networks through supply chain attacks, allowing them to target high-value entities downstream and amplify reach.”
The Tidrone campaign was first published last year by Trend Micro, detailing cluster attacks against Taiwanese drone manufacturers to provide custom malware such as CXCLNT and CLNTEND. A subsequent report from AHNLAB in December 2024 detailed the use of CLNTEND for Korean companies.
It is worth noting that the attack targets drone supply chains and leverages enterprise resource planning (ERP) software to violate the military and satellite industries. The selected incident also includes the use of trusted communication channels, such as remote monitoring and IT management tools, to distribute malicious payloads.
Trend Per Trend Micro’s Venom campaign features leveraging a web server vulnerability to drop a web shell and weaponizing access to install Remote Access Tools (RATs) for permanent access to compromised hosts. The use of open source tools such as Revsock and Sliver in attacks is seen as a deliberate attempt to cloud attribution efforts.
The only bespoke malware observed in the Venom campaign is VenFRPC, a customized version of FRPC, which itself is a modified version of the open source Fast Reverse Proxy (FRP) tool.
The ultimate goal of the campaign is to harvest credentials from the compromised environment and use the stolen information as a stepping stone to inform downstream customers of the next stage of Tidrone. The Tidrone campaign is spreading in three stages –
By injecting malicious code into service providers and distributing malware to downstream customer command and controls, initial access reflecting Venom campaigns, drop CXCLNT and CLNTEND backdoors using DLL loaders, using clntend that includes persistence settings, privilege escalation, and in virus equipment failures using in dub equipment with diving equipment
“The core functionality of CXCLNT depends on the modular plug-in system. When run, it dynamically extends functionality by getting additional plug-ins from the C&C server,” Trend Micro said. “This architecture not only obscures the true purpose of the backdoor during static analysis, but also allows for flexible and in-demand operations based on the attacker’s objectives.”
CXCLNT is said to have been used in attacks since at least 2022. First detected in 2024, CLNTEND is the successor and comes with a set of enhanced features for side step detection.
The relationship between Venom and Tidrone is attributed to overlapping shared victims, service providers and command and control infrastructure, indicating that a common threat actor is behind both campaigns. Trend Micro said the hacking crew’s tactics, techniques and procedures (TTP) are similar to those used by another Chinese national hacking group, tracked as Dalbit (aka M00nlight), which suggests a sharing toolkit.
“This progression highlights a deliberate strategy: it starts widely and establishes access with low-cost, low-risk tools, and pivots to features tailored for more targeted and impactful intrusions,” the researchers said. “Understanding this operational pattern is important in predicting and defending future threats from this actor.”
Japan and Taiwan targeted by Swan Vector
It occurs when Seqrite Labs discloses details of a cyberspy campaign called Swan Vector, which targets educational institutions and the mechanical engineering industry in Taiwan and Japan.
Pterois is designed to be downloaded from Google Drive. He is then responsible for running the post-explosion framework after cobalt strike with another malware called Isurus. The campaign is attributed to a threat actor in East Asia with moderate confidence.
“Threat actors are based in East Asia and have targeted multiple employment-based entities in Taiwan and Japan since December 2024,” said security researcher Subajiit Singa.
“Threat actors rely heavily on multiple avoidance techniques such as API hashing, direct-system callbacks, function callbacks, DLL sideloading, and self-exclusion, and custom development of implants consisting of downloaders, shellcode loaders, and cobalt strikes.
Source link
