Between 2023 and 2024, the cyber espionage group known as Earth Ammit orchestrated two sophisticated campaigns—VENOM and TIDRONE—targeting a range of sectors in Taiwan and South Korea. These sectors included military, satellite, heavy industry, media, technology, software services, and healthcare. Cybersecurity firm Trend Micro has linked Earth Ammit to Chinese-speaking nation-state groups, highlighting the group’s strategic focus on infiltrating the drone supply chain to compromise high-value entities downstream.
VENOM Campaign:
The VENOM campaign primarily targeted software service providers, serving as an entry point into the drone supply chain. Earth Ammit exploited vulnerabilities in web servers to deploy web shells, which facilitated the installation of remote access tools (RATs) for persistent access. Notably, the group utilized open-source tools like REVSOCK and Sliver to obfuscate their activities and hinder attribution efforts. A customized version of FRPC, dubbed VENFRPC, was the only bespoke malware identified in this campaign. The ultimate objective was to harvest credentials from compromised environments, setting the stage for the subsequent TIDRONE campaign aimed at downstream customers.
TIDRONE Campaign:
Building upon the groundwork laid by VENOM, the TIDRONE campaign specifically targeted the military industry. This campaign unfolded in three stages:
1. Initial Access: Mirroring VENOM’s tactics, Earth Ammit infiltrated service providers to inject malicious code, thereby distributing malware to downstream customers.
2. Command-and-Control: The attackers deployed a DLL loader to install backdoors named CXCLNT and CLNTEND.
3. Post-Exploitation: The group established persistence, escalated privileges, disabled antivirus software using TrueSightKiller, and installed a screenshot-capturing tool called SCREENCAP via CLNTEND.
CXCLNT, active since at least 2022, employs a modular plugin system that dynamically retrieves additional plugins from its command-and-control server, enhancing its capabilities and complicating detection. CLNTEND, first detected in 2024, serves as its successor with expanded features designed to evade detection mechanisms.
Supply Chain Vulnerabilities and ERP Exploitation:
A critical aspect of Earth Ammit’s strategy was targeting the drone supply chain by exploiting enterprise resource planning (ERP) software. By compromising ERP systems, the group gained access to sensitive information and critical infrastructure, enabling them to infiltrate the military and satellite industries effectively. In certain instances, trusted communication channels, such as remote monitoring or IT management tools, were utilized to distribute malicious payloads, further complicating detection and mitigation efforts.
Implications and Recommendations:
The VENOM and TIDRONE campaigns underscore the evolving nature of cyber threats, particularly those targeting supply chains and critical infrastructure. Organizations must adopt a proactive approach to cybersecurity, including:
– Regular Security Audits: Conduct comprehensive assessments of systems and networks to identify and remediate vulnerabilities.
– Supply Chain Security: Implement stringent security measures for third-party vendors and service providers to prevent supply chain attacks.
– Advanced Threat Detection: Deploy sophisticated monitoring tools capable of identifying and responding to anomalous activities indicative of cyber espionage.
– Employee Training: Educate staff on recognizing phishing attempts and other common attack vectors to reduce the risk of initial compromise.
By understanding the tactics employed by groups like Earth Ammit and implementing robust security protocols, organizations can better defend against complex cyber threats targeting supply chains and critical sectors.
