Taiwanese financial instiutions have been on the radar of a Chinese advanced persistent threat (APT) group. The group has been running a “persistent campaign” targeting Taiwanese financial institutions.

The attacks are for espionage; the attacks have planted a backdoor called xPack that has allowed hackers to control the affected systems, stated Broadcom-owned Symantec’s report.

The duration that the attackers could spy on victims without getting detected stands out in this attack. The attackers had enough time for comprehensive reconnaissance and pilfered sensitive data relevant to business contacts and investments.

Also read,

In an attack targeting a financial organisation, the attackers spied the network for 250 days between December 2020 and August 2021; on the other hand, a manufacturing firm’s network was hacked for approx 175 days. 

How the hackers initially were able to breach the system remains unclear— initial access vector— but researchers suspect that Antlion used a web application flaw to gain an advantage to plant xPack custom backdoor. The xPack was used to carry out system commands and send subsequent malware and tools and pilfer data.

Further, the threat actor used C++ based custom loaders together with other legitimate off-the-shelf tools such as AnyDesk and living-off-the-land (LotL) methods to access remotely, dump credentials and carry out arbitrary commands. 

“Antlion is believed to have been involved in espionage activities since at least 2011, and this recent activity shows that it is still an actor to be aware of more than 10 years after it first appeared,” the researchers said.

The findings add to a growing list of China-linked nation-state groups that have targeted Taiwan in recent months, what with malicious cyber activities mounted by threat actors tracked as Tropic Trooper and Earth Lusca striking government, healthcare, transportation, and educational institutions in the country.