🇨🇳

Antlion

APT Group Information theft and espionage ETDA ✓

Also Known As

No alias recorded

Target Countries 25

Countries highlighted in red

Brazil Canada Switzerland China Czech Republic Germany Ecuador Egypt Finland France United Kingdom Hong Kong Haiti Israel India Italy Japan Mexico Malaysia Norway Philippines Province of China Taiwan Ukraine United States Vietnam

Sectors Targeted

Healthcare Grantmaking and Giving Services 8132 Commercial Banking 52211 Freight Transportation Arrangement 48851 Construction 23 Outpatient Care Centers 6214 Manufacturing Employment Placement Agencies and Executive Search Services 56131 Oil and Gas Extraction 211 Truck Transportation 484 Motion Picture and Video Production 51211 National Security and International Affairs 9281 Newspaper Publishers 51111 Business Schools and Computer and Management Training 6114 Toilet Preparation Manufacturing 32562 Colleges, Universities, and Professional Schools 6113 Data Processing, Hosting, and Related Services 51821 Justice, Public Order, and Safety Activities 9221 Computer Systems Design and Related Services 54151 Internet Publishing and Broadcasting and Web Search Portals 51913 National Security and International Affairs 928110 Government Periodical Publishers 51112 Computer Systems Design Services 541512 Human Resources Consulting Services 541612 Management, Scientific, and Technical Consulting Services 5416 Transportation High-Tech Remediation and Other Waste Management Services 5629 Financial Defense Finance and Insurance 52 NAICS:31 31

Details

Origin 🇨🇳 CN

Last Updated 01 Jun 2022

Malware Families 3

ccleaner_backdoor

entryshell

win.shadow_rat

MITRE ATT&CK 65

T1003 - OS Credential Dumping T1016 T1020 T1027 - Obfuscated Files or Information T1027.003 T1027.013 T1033 T1036 - Masquerading T1036.005 T1046 T1049 T1052 T1052.001 T1055 - Process Injection T1055.001 T1056 - Input Capture T1057 T1059 - Command and Scripting Interpreter T1059.001 T1059.003 T1070 T1070.004 T1071 T1071.001 T1071.004 T1078 T1078.003 T1082 T1083 T1091 T1102 - Web Service T1105 T1106 T1115 - Clipboard Data T1119 T1132 T1132.001 T1135 T1140 - Deobfuscate/Decode Files or Information T1176 - Browser Extensions T1203 T1204 T1204.002 T1221 T1496 - Resource Hijacking T1505 T1505.003 T1518 T1518.001 T1531 - Account Access Removal T1543 T1543.003 T1547 T1547.001 T1547.004 T1562 - Impair Defenses T1564 T1564.001 T1566 - Phishing T1566.001 T1573 T1573.002 T1574 - Hijack Execution Flow T1574.001 T1680

Related Zero-Days

No zero-day CVE linked to this actor

Known Names 1 entries

Antlion ?

Observed Target Countries 1

Based on ETDA data — countries highlighted in red

Taiwan

Description

(Symantec) Antlion is believed to have been involved in espionage activities since at least 2011, and this recent activity shows that it is still an actor to be aware of more than 10 years after it first appeared. The length of time that Antlion was able to spend on victim networks is notable, with the group able to spend several months on victim networks, affording plenty of time to seek out and exfiltrate potentially sensitive information from infected organizations. The targeting of Taiwan is perhaps unsurprising given we know Chinese state-backed groups tend to be interested in organizations in that region.

Tools Used 10

CheckID EHAGBPSL ENCODE MMC JpgRun NetSessionEnum ProcDump PsExec xPack WinRAR Living off the Land

Reports & References 1

https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/china-apt-antlion-taiwan-financial-attacks

ETDA Profile

Antlion

Origin

China

First Seen 2011

Motivation

Information theft and espionage

View on ETDA APT Groups ↗