Kuboid LogoOpen Luck

The Drone Supply Chain's Grand Siege: From Initial Breaches to Long-Term Espionage

BBlack Hat
253,000
1,361 views
30 likes
5 months ago
32:46

Description

Researchers from Trend Micro analyze the TIDRONE and VENOM campaigns by Earth Ammit, targeting the Taiwanese drone supply chain. The talk details the transition from using open-source tools for initial breaches to deploying custom, fiber-based malware for long-term military espionage.

earth-ammittidronevenomsupply-chain-attacktaiwandrone-industrymalware-analysisreverse-engineeringactive-directorycredential-theftespionagecxclntclntendfiber-based-evasionanti-analysiscustom-malware
Filters:Kind: research-presentationStyle: hybridCategory: Travel & Events
Areas:Web Application SecurityNetwork SecurityActive Directory SecurityMalware AnalysisReverse EngineeringSupply Chain SecurityThreat Intelligence
Tools:Venn FRPCCX Client (CXCLNT)Client End (CLNTEND)ScreenCaptTrueSight Killercmdkey.exeFRPCntdsutilWinWordfls-allocCreateFiberSwitchToFiber
Security:Contains RCE

Siege of the Drone Supply Chain: Inside Earth Ammit's Multi-Stage Espionage

In the high-stakes world of modern warfare, the drone supply chain has become a primary battlefield for cyberespionage. Recent research from Trend Micro has shed light on a sophisticated campaign targeting Taiwan's burgeoning drone industry. This operation, attributed to an actor known as Earth Ammit, demonstrates a chillingly effective strategy: compromising upstream service providers to lay a "grand siege" to high-value military targets.

This post explores the dual-campaign strategy involving the VENOM and TIDRONE operations, the technical nuances of their custom malware, and the advanced evasion techniques—including the use of Windows Fibers—that make this actor particularly dangerous for defenders in the defense and technology sectors.

The Two-Phased Assault: VENOM and TIDRONE

Earth Ammit does not strike their primary targets directly. Instead, they utilize a multi-stage approach designed to maximize infiltration while minimizing early detection.

Phase 1: Operation VENOM

The VENOM campaign targets the "upstream" of the supply chain—the service providers, ERP vendors, and software companies that the drone manufacturers trust. The primary goal of VENOM is credential theft. By exploiting web server vulnerabilities and deploying web shells, Earth Ammit gains a foothold in these provider networks. They then move laterally to domain controllers to steal the NTDS.dit file, effectively owning the identities of everyone within the organization and its trusted channels.

To avoid early attribution, Earth Ammit uses a "cheap and effective" toolkit in this stage, consisting largely of modified open-source tools like FRPC for reverse proxying and tunneling. By blending in with common red-teaming tools, they make it harder for analysts to identify the specific threat actor behind the breach.

Phase 2: Operation TIDRONE

Once the credentials and trusted channels are secured, the operation transitions to TIDRONE. This phase targets the "downstream"—the drone manufacturers and military contractors themselves. Using the trusted connections established in VENOM (such as remote management tools or update mechanisms), Earth Ammit deploys highly customized malware tailored for long-term espionage. This is where the actor's technical sophistication truly shines.

Technical Deep Dive: The Evolution of Stealth

One of the most compelling aspects of the research is the analysis of Earth Ammit's malware loaders. Over the years, these loaders have evolved to incorporate advanced evasion techniques that challenge traditional security monitoring.

The Rise of Fiber-Based Evasion

Traditional security tools, including many EDR solutions, monitor system threads to detect malicious behavior. Earth Ammit exploits a blind spot in this monitoring by using Windows Fibers. Unlike threads, which are managed by the operating system kernel, fibers are managed at the application level (user mode).

Earth Ammit’s malware (CXCLNT and CLNTEND) utilizes several fiber-based techniques:

  1. Direct Fiber Conversion: Using ConvertThreadToFiber and CreateFiber, the malware moves its execution context into a fiber structure. Because security products often only check system-scheduled threads, the malicious logic running inside a fiber remains undetected.
  2. FLS Callbacks: The malware leverages FlsAlloc (Fiber Local Storage) to register a callback function. When the fiber object is freed or deleted, the callback triggers the execution of the encrypted payload in memory.
  3. Exception Handling Manipulation: Later versions of the loader use custom exception handlers to redirect code execution flow, further obfuscating the malware's true intent from static and dynamic analysis tools.

Custom Backdoors: CXCLNT and CLNTEND

The backdoors themselves are modular and stealthy. They do not exist as files on the disk; instead, they are decompressed and executed directly in memory.

  • CXCLNT (CX Client): A modular backdoor that relies on C2-delivered plugins for its main functionality. This makes initial analysis difficult, as the "meat" of the malware is never present on the infected system until the attacker decides to send it.
  • CLNTEND (Client End): A more advanced version that supports both client and server modes and implements multiple connection methods to bypass restrictive network environments. It also features aggressive anti-AV/EDR capabilities, specifically injecting into legitimate processes like WinWord.exe to hide its activities.

Post-Exploitation and Persistence

Once established, the actor ensures they cannot be easily removed. Their post-exploitation toolkit includes:

  • TrueSight Killer: A specialized tool designed to identify and terminate EDR and AV processes.
  • ScreenCapt: A screen surveillance tool adapted from open-source projects to monitor the victim's desktop in real-time.
  • Credential Dumping: Frequent use of cmdkey.exe and process dumping of lsass.exe to maintain a steady stream of administrative credentials.

Mitigation and Defense Strategies

Defending against a supply-chain-focused actor like Earth Ammit requires a shift in perspective. You cannot just defend your own perimeter; you must evaluate the security of your entire ecosystem.

  1. Monitor Fiber APIs: Defenders should look for unusual usage of FlsAlloc, CreateFiber, and SwitchToFiber within non-standard applications.
  2. AD Security is Paramount: Since Earth Ammit prioritizes NTDS.dit theft, organizations must implement strict Tiered Administration models and monitor for unauthorized access to Domain Controllers.
  3. Audit Service Provider Access: Limit the permissions granted to third-party management and monitoring tools. Treat incoming traffic from "trusted" service providers with the same scrutiny as external traffic.
  4. Process Integrity: Monitor for unusual process parenting, such as WinWord.exe spawning cmd.exe or making external network connections.

Conclusion

The Earth Ammit campaigns serve as a stark reminder that the supply chain is the path of least resistance for advanced persistent threats. By starting with "common" tools and graduating to sophisticated, fiber-based custom malware, they successfully infiltrated critical military infrastructure. For the cybersecurity community, the lesson is clear: we must look beyond threads and files to the deeper, more subtle mechanisms of the Windows OS to catch the next generation of espionage tools. Stay vigilant, monitor your providers, and always assume that a trusted channel might be compromised.

← Previous in PlaylistDismantling the SEOS ProtocolNext in Playlist →Using Deep Learning Attribution Methods for Fault Injection Attacks

AI Summary

This research presentation by Trend Micro analysts Philip Chen and Vickie Su explores a sophisticated cyberespionage operation targeting the drone supply chain in Taiwan and South Korea. Attributed to the threat actor Earth Ammit, the operation comprises two distinct but linked campaigns: VENOM and TIDRONE. The presentation highlights a strategic shift in TTPs (Tactics, Techniques, and Procedures) as the attacker moves from upstream service providers to high-value downstream military targets. The VENOM campaign serves as the initial entry point. Earth Ammit focuses on compromising service providers (ERPs, software vendors, and technology companies) to gain a foothold. During this phase, the group heavily utilizes open-source and shared tools, such as modified versions of FRPC (Fast Reverse Proxy), to minimize the risk of attribution. A primary objective in VENOM is credential harvesting, specifically targeting Active Directory (AD) environments to extract NTDS.dit data. This data is then leveraged to pivot and facilitate lateral movement into the downstream customers—the high-value military and drone manufacturers. The TIDRONE campaign represents the specialized exploitation phase. Once access is secured through the supply chain, the actor deploys customized malware families, primarily CXCLNT (CX Client) and CLNTEND (Client End). These backdoors support multiple communication protocols (HTTPS, custom SSL) and feature modular plugin architectures. A significant technical highlight of the talk is the analysis of 'fiber-based' evasion techniques used in the malware loaders. By utilizing Windows Fiber APIs (such as CreateFiber, SwitchToFiber, and FlsAlloc), the malware can execute malicious code in a manner that is often invisible to security products that only monitor standard system threads. This technique allows for highly stealthy execution and evasion of EDR/AV solutions. Post-exploitation activities within the TIDRONE campaign include the use of 'TrueSight Killer' to terminate security processes, 'ScreenCapt' for visual surveillance, and various UAC bypass techniques for privilege escalation. Persistence is maintained through scheduled tasks and the replacement of legitimate binaries with malicious versions. The researchers conclude that Earth Ammit is a highly adaptive actor, likely Chinese-speaking, whose strategies mirror the 'Dalbit' intrusion set. The talk emphasizes the critical need for long-term monitoring of supply chain integrity and the detection of advanced evasion techniques like fiber-based execution.

More from this Playlist

Behind Closed Doors - Bypassing RFID Readers
42:04

Behind Closed Doors - Bypassing RFID Readers

Black Hat
6 months ago
Travel & Eventsresearch-presentationhybridrfid
DriveThru Car Hacking: Fast Food, Faster Data Breach
36:35

DriveThru Car Hacking: Fast Food, Faster Data Breach

Black Hat
6 months ago
Travel & Eventsresearch-presentationhybriddashcam
Impostor Syndrome - Hacking Apple MDMs Using Rogue Device Enrolments
34:53

Impostor Syndrome - Hacking Apple MDMs Using Rogue Device Enrolments

Black Hat
5 months ago
Travel & Eventsresearch-presentationhybridapple
Dismantling the SEOS Protocol
26:50

Dismantling the SEOS Protocol

Black Hat
5 months ago
Travel & Eventsresearch-presentationtechnical-deep-diverfid
The ByzRP Solution: A Global Operational Shield for RPKI Validators
47:04

The ByzRP Solution: A Global Operational Shield for RPKI Validators

Black Hat
5 months ago
Travel & Eventsresearch-presentationtechnical-deep-divebgp
Powered by Kuboid

We break your app
before they do.

Kuboid is a cybersecurity agency that finds hidden vulnerabilities before real attackers can exploit them. Proactive security testing, so you can ship with confidence.

Get in Touch

Trusted by the security community • Visit kuboid.in