Antlion: Chinese APT Uses Custom Backdoor to Target Financial Institutions in Taiwan
Tags
country: Taiwan
attack-pattern: Data Credentials - T1589.001 Exploits - T1587.004 Exploits - T1588.005 Golden Ticket - T1558.001 Malware - T1587.001 Malware - T1588.001 Mmc - T1218.014 Powershell - T1059.001 Software - T1592.002 Tool - T1588.002 Connection Proxy - T1090 Credential Dumping - T1003 Powershell - T1086
Show in Graph
Common Information
Type Value
UUID 969b1cee-5e1f-4de0-babf-e08dc64139b2
Fingerprint 4e218391ce33c6a9
Analysis status DONE
Considered CTI value 2
Text language
Published Feb. 3, 2022, midnight
Added to db Sept. 11, 2022, 12:38 p.m.
Last updated Nov. 17, 2024, 6:55 p.m.
Headline Antlion: Chinese APT Uses Custom Backdoor to Target Financial Institutions in Taiwan
Title Antlion: Chinese APT Uses Custom Backdoor to Target Financial Institutions in Taiwan
Detected Hints/Tags/Attributes 82/2/60
Source URLs
Redirection Url
Details Source https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/china-apt-antlion-taiwan-financial-attacks
URL Provider
Details Provider Source level domain
Details security.com symantec-enterprise-blogs.security.com
Attributes
Details Type #Events CTI Value
Details CVE 34 
cve-2019-1458
Details Domain 5 
sam.hiv
Details Domain 1 
sys.hiv
Details Domain 4 
security.hiv
Details Domain 7 
system.hiv
Details Domain 1 
fomsal.properties
Details Domain 1 
xpack.properties
Details Domain 1 
foslta.properties
Details File 3 
htable.xsl
Details File 155 
cscript.exe
Details File 16 
update.vbs
Details File 3 
upload.exe
Details File 478 
lsass.exe
Details File 1 
16.dmp
Details File 26 
procdump64.exe
Details File 17 
quser.exe
Details File 2125 
cmd.exe
Details File 1 
w22-009-099.tmp
Details File 1 
c:\\windows\\inf\\wdnvsc.inf
Details File 1 
ntmgs.dll
Details File 1 
ntmgs.dat
Details File 1 
img1.jpg
Details File 1 
wscms.dat
Details File 1 
wscms.dll
Details File 1 
wscms.ini
Details File 1 
images01.jpg
Details sha256 1 
85867a8b4de856a943dd5efaaf3b48aecd2082aa0ceba799df53ba479e4e81c5
Details sha256 1 
12425edb2c50eac79f06bf228cb2dd77bb1e847c4c4a2049c91e0c5b345df5f2
Details sha256 1 
e4a15537f767332a7ed08009f4e0c5a7b65e8cbd468eb81e3e20dc8dfc36aeed
Details sha256 1 
e488f0015f14a0eff4b756d10f252aa419bc960050a53cc04699d5cc8df86c8a
Details sha256 1 
9456d9a03f5084e44f8b3ad936b706a819ad1dd89e06ace612351b19685fef92
Details sha256 1 
730552898b4e99c7f8732a50ae7897fb5f83932d532a0b8151f3b9b13db7d73c
Details sha256 1 
de9bd941e92284770b46f1d764905106f2c678013d3793014bdad7776540a451
Details sha256 1 
390460900c318a9a5c9026208f9486af58b149d2ba98069007218973a6b0df66
Details sha256 1 
4331d1610cdedba314fc71b6bed35fea03bc49241eb908a70265c004f5701a29
Details sha256 1 
9b5168a8f2950e43148fe47576ab3ac5b2cfa8817b124691c50d2c77207f6586
Details sha256 1 
a74cb0127a793a7f4a616613c5aae72142c1166f4bb113247e734f0efd48bdba
Details sha256 1 
e5259b6527e8612f9fd9bba0b69920de3fd323a3711af39f2648686fa139bc38
Details sha256 1 
eb7a23136dc98715c0a3b88715aa7e936b88adab8ebae70253a5122b8a402df3
Details sha256 1 
789f0ec8e60fbc8645641a47bc821b11a4486f28892b6ce14f867a40247954ed
Details sha256 1 
3db621cac1d026714356501f558b1847212c91169314c1d43bfc3a4798467d0d
Details sha256 1 
443f4572ed2aec06d9fb3a190de21bfced37c0cd2ee03dd48a0a7be762858925
Details sha256 1 
f4534e04caced1243bd7a9ce7b3cd343bf8f558982cbabff93fa2796233fe929
Details sha256 1 
e968e0d7e62fbc36ad95bc7b140cf7c32cd0f02fd6f4f914eeb7c7b87528cfe2
Details sha256 1 
0bbb477c1840e4a00d0b6cd3bd8121b23e1ce03a5ad738e9aa0e5e0b2e1e1fea
Details sha256 1 
55636c8a0baa9b57e52728c12dd969817815ba88ec8c8985bd20f23acd7f0537
Details sha256 1 
2a541a06929dd7d18ddbae2cb23d5455d0666af7bdcdf45b498d1130a8434632
Details sha256 1 
29d7b82f9ae7fa0dbaf2d18c4d38d18028d652ed1ccc0846e8c781b4015b5f78
Details sha256 1 
f7cab241dac6e7db9369a4b85bd52904022055111be2fc413661239c3c64af3d
Details sha256 1 
2aa52776965b37668887a53dcd2374fc2460293b73c897de5d389b672e1313ff
Details sha256 1 
79a37464d889b41b7ea0a968d3e15e8923a4c0889f61410b94f5d02458cb9eed
Details sha256 1 
48d41507f5fc40a310fcd9148b790c29aeb9458ff45f789d091a9af114f26f43
Details sha256 1 
f01a4841f022e96a5af613eb76c6b72293400e52787ab228e0abb862e5a86874
Details sha256 1 
e1a0c593c83e0b8873278fabceff6d772eeaaac96d10aba31fcf3992bc1410e5
Details sha256 1 
dfee6b3262e43d85f20f4ce2dfb69a8d0603bb261fb3dfa0b934543754d5128b
Details Windows Registry Key 24 
HKLM\SAM
Details Windows Registry Key 37 
HKLM\SYSTEM
Details Yara rule 1 
rule xpack_loader {
	meta:
		author = "Symantec, a division of Broadcom"
		hash = "12425edb2c50eac79f06bf228cb2dd77bb1e847c4c4a2049c91e0c5b345df5f2"
	strings:
		$s1 = "Length or Hash destoryed" wide fullword
		$s2 = "tag unmatched" wide fullword
		$s3 = "File size mismatch" wide fullword
		$s4 = "DESFile" wide fullword
		$p1 = "fomsal.Properties.Resources.resources" wide fullword
		$p2 = "xPack.Properties.Resources.resources" wide fullword
		$p3 = "foslta.Properties.Resources.resources" wide fullword
	condition:
		uint16(0) == 0x5A4D and uint32(uint32(0x3C)) == 0x00004550 and (2 of ($s*) or any of ($p*))
}
Details Yara rule 1 
rule xpack_service {
	meta:
		author = "Symantec, a division of Broadcom"
		hash = "390460900c318a9a5c9026208f9486af58b149d2ba98069007218973a6b0df66"
	strings:
		$s1 = "C:\\Windows\\inf\\wdnvsc.inf" wide fullword
		$s2 = "PackService" wide fullword
		$s3 = "xPackSvc" wide fullword
		$s4 = "eG#!&5h8V$" wide fullword
	condition:
		uint16(0) == 0x5A4D and uint32(uint32(0x3C)) == 0x00004550 and 3 of them
}
Details Yara rule 1 
rule checkid_loader {
	meta:
		author = "Symantec, a division of Broadcom"
		description = "BlackHole/BlackSwan / QuasarRAT/xClient loader"
		hash = "29d7b82f9ae7fa0dbaf2d18c4d38d18028d652ed1ccc0846e8c781b4015b5f78"
	strings:
		$s1 = "Call %s.%s(\"%s\") => %d" wide fullword
		$s2 = "Assembly::CreateInstance failed w/hr 0xlx" wide fullword
		$s3 = "checkID"
		$s4 = "NULL == checkID hMutex" fullword
		$s5 = "checkID Mutex ERROR_ALREADY_EXISTS" fullword
		$s6 = "dllmain mutex ERROR_ALREADY_EXISTS" fullword
		$x1 = "xClient.Program" wide fullword
		$x2 = "LoadPayload" fullword
		$m1 = "SFZJ_Wh16gJGFKL" ascii wide
		$m2 = "d5129799-e543-4b8b-bb1b-e0cba81bccf8" ascii wide
		$m3 = "USA_HardBlack" ascii wide
		$b1 = "BlackHole.Slave.Program" wide fullword
		$b2 = "NuGet\\Config" wide
		$b3 = "VisualStudio.cfi" wide
		$p = { E1 F6 3C AC AF AC AC AC A8 AC AC AC 53 53 AC AC 14 }
		$t = "0s+Nksjd1czZ1drJktPO24aEjISMtsvLy5LJzNjdyNnL1dLY08uS39PRhoSMhIy2jYyPkomNko2IjJKEiIaEjISM"
	condition:
		uint16(0) == 0x5A4D and uint32(uint32(0x3C)) == 0x00004550 and 2 of ($s*) and (all of ($x*) or any of ($m*) or all of ($b*) or $p or $t)
}