A state-backed Chinese APT actor tracked as 'Antlion' has been using a new custom backdoor called 'xPack' against financial organizations and manufacturing companies.
The malware has been used in a campaign against targets in Taiwan that researchers believe spanned for more than 18 months, between 2020 and 2021, allowing the adversaries to run stealthy cyber-espionage operations.
According to a report from Symantec, a Broadcom company, shared with BleepingComputer, xPack enabled attackers to run WMI commands remotely, to leverage EternalBlue exploits, and mounted shares over SMB to deliver data to the command and control (C2) server.
In the network for 250 days
Details from one attack show that the threat actor spent 175 days on the compromised network. However, Symantec researchers analyzing two other attacks determined that the the adversary went undetected on the network for as long as 250 days.
Using custom malware unknown to threat analysts played a key role in achieving this level of stealthiness.
xPack is a .NET loader that fetches and executes AES-encrypted payloads, while it's also capable to execute system commands and stage data for exfiltration.