Antlion APT linked with China
Share this:
A cyberespionage campaign of a China-linked APT group tracked as Antlion is using a custom backdoor called xPack in attacks aimed at financial organizations and manufacturing companies gone detected more years.
xPack is a custom backdoor with a .Net loader that deployed which allowed threat actors to run WMI commands remotely and mount shares over SMB executes AES-encrypted payloads to transfer data from C2 servers to them. The malware was also used by the attackers to browse the web, likely using it as a proxy to mask their IP address.
Attackers were exploiting CVE-2019-1458 for privilege escalation and remote scheduled tasks to execute their backdoor.
Researchers analyzed one of the attacks carried out by the APT group that remained in the compromised network of a manufacturing organization for 175 days and in another attack against a financial institution remained active for 250 days
It’s been speculated that the attackers exploited a web application or service because they noticed in one attack that threat actors were utilizing the MSSQL service to execute system commands. But not arrived at a conclusion on initial attack vectors.
Following are the custom tools used by Antlion in this campaign:
- EHAGBPSL loader – custom loader written in C++ – loaded by JpgRun loader
- JpgRun loader – customer loader written in C++ – like xPack, reads the decryption key and filename from the command line – decodes the file and executes it
- CheckID – custom loader written in C++ – based on loader used by BlackHole RAT
- NetSessionEnum – Custom SMB session enumeration tool
- ENCODE MMC – Custom bind/reverse file transfer tool
- Kerberos golden ticket tool based on the Mimikatz credentials stealer
Attackers also used legitimate versions of WinRAR appear for data exfiltration and batch scripts to automate the data collection process. In some cases, threat actors staged stolen data for further exfiltration.
The threat actors were returning periodically in the compromised network to launch xPack again and steal account credentials from the compromised organizations.
Indicators of Compromise
SHA2 hashes
| 85867a8b4de856a943dd5efaaf3b48aecd2082aa0ceba799df53ba479e4e81c5 |
| 12425edb2c50eac79f06bf228cb2dd77bb1e847c4c4a2049c91e0c5b345df5f2 |
| e4a15537f767332a7ed08009f4e0c5a7b65e8cbd468eb81e3e20dc8dfc36aeed |
| e488f0015f14a0eff4b756d10f252aa419bc960050a53cc04699d5cc8df86c8a |
| 9456d9a03f5084e44f8b3ad936b706a819ad1dd89e06ace612351b19685fef92 |
| 730552898b4e99c7f8732a50ae7897fb5f83932d532a0b8151f3b9b13db7d73c |
| de9bd941e92284770b46f1d764905106f2c678013d3793014bdad7776540a451 |
| 390460900c318a9a5c9026208f9486af58b149d2ba98069007218973a6b0df66 |
| 4331d1610cdedba314fc71b6bed35fea03bc49241eb908a70265c004f5701a29 |
| 9b5168a8f2950e43148fe47576ab3ac5b2cfa8817b124691c50d2c77207f6586 |
| a74cb0127a793a7f4a616613c5aae72142c1166f4bb113247e734f0efd48bdba |
| e5259b6527e8612f9fd9bba0b69920de3fd323a3711af39f2648686fa139bc38 |
| eb7a23136dc98715c0a3b88715aa7e936b88adab8ebae70253a5122b8a402df3 |
| 789f0ec8e60fbc8645641a47bc821b11a4486f28892b6ce14f867a40247954ed |
| 3db621cac1d026714356501f558b1847212c91169314c1d43bfc3a4798467d0d |
| 443f4572ed2aec06d9fb3a190de21bfced37c0cd2ee03dd48a0a7be762858925 |
| f4534e04caced1243bd7a9ce7b3cd343bf8f558982cbabff93fa2796233fe929 |
| e968e0d7e62fbc36ad95bc7b140cf7c32cd0f02fd6f4f914eeb7c7b87528cfe2 |
| 0bbb477c1840e4a00d0b6cd3bd8121b23e1ce03a5ad738e9aa0e5e0b2e1e1fea |
| 55636c8a0baa9b57e52728c12dd969817815ba88ec8c8985bd20f23acd7f0537 |
| 2a541a06929dd7d18ddbae2cb23d5455d0666af7bdcdf45b498d1130a8434632 |
| 85867a8b4de856a943dd5efaaf3b48aecd2082aa0ceba799df53ba479e4e81c5 |
| 29d7b82f9ae7fa0dbaf2d18c4d38d18028d652ed1ccc0846e8c781b4015b5f78 |
| f7cab241dac6e7db9369a4b85bd52904022055111be2fc413661239c3c64af3d |
| 2aa52776965b37668887a53dcd2374fc2460293b73c897de5d389b672e1313ff |
| 79a37464d889b41b7ea0a968d3e15e8923a4c0889f61410b94f5d02458cb9eed |
| 48d41507f5fc40a310fcd9148b790c29aeb9458ff45f789d091a9af114f26f43 |
| f01a4841f022e96a5af613eb76c6b72293400e52787ab228e0abb862e5a86874 |
| e1a0c593c83e0b8873278fabceff6d772eeaaac96d10aba31fcf3992bc1410e5 |
| dfee6b3262e43d85f20f4ce2dfb69a8d0603bb261fb3dfa0b934543754d5128b |
