cybersecuritynews.com

Earth Ammit Hackers Attacking Using New Tools to Attack Drones Used in Military Sectors

A sophisticated threat actor known as Earth Ammit has launched coordinated multi-wave attacks targeting drone supply chains, primarily in Taiwan’s military and satellite industries. The group, which security researchers have linked to Chinese-speaking APT groups, has executed two distinct campaigns between 2023 and 2024, demonstrating an evolution in tactics and tooling that poses significant risks […] The post Earth Ammit Hackers Attacking Using New Tools to Attack Drones Used in Military Sectors appeared first on Cyber Security News.

May 14, 2025 - 14:32
 0
Earth Ammit Hackers Attacking Using New Tools to Attack Drones Used in Military Sectors

A sophisticated threat actor known as Earth Ammit has launched coordinated multi-wave attacks targeting drone supply chains, primarily in Taiwan’s military and satellite industries.

The group, which security researchers have linked to Chinese-speaking APT groups, has executed two distinct campaigns between 2023 and 2024, demonstrating an evolution in tactics and tooling that poses significant risks to military and aerospace sectors.

The timeline of operations conducted by Earth Ammit (Source – Trend Micro)

The first wave, dubbed VENOM, focused on penetrating software service providers and technology companies by exploiting web server vulnerabilities to upload web shells.

This campaign relied heavily on open-source tools to maintain persistence within compromised systems while avoiding attribution.

Following this initial compromise, Earth Ammit pivoted to a more targeted second wave called TIDRONE, which specifically aimed at military industry entities through the upstream supply chain.

Victims of these attacks primarily originated from Taiwan and South Korea, affecting organizations within military, satellite, heavy industry, media, technology, software services, and healthcare sectors.

Through these supply chain attacks, Earth Ammit positioned itself to target downstream customers, creating a ripple effect that extended the attackers’ reach to high-value military assets.

Trend Micro researchers identified that Earth Ammit’s operations demonstrate sophisticated understanding of supply chain vulnerabilities, employing two distinct attack paths: classic supply chain attacks that inject malicious code into legitimate software, and general supply chain attacks that leverage trusted communication channels to distribute malware without altering software artifacts.

The group’s long-term objective appears to be infiltrating trusted networks to gain access to sensitive military technology, particularly drone systems used in defense applications.

Organizations compromised in these attacks face risks of credential theft, data exfiltration, and persistent unauthorized access to their networks.

Evolution of Malware Arsenal

The most concerning aspect of Earth Ammit’s activities is their rapid evolution in malware capabilities. Their CLNTEND backdoor, first observed in 2024, represents a significant advancement over its predecessor CXCLNT.

The evolution of the loader from 2023 to 2024 (Source – Trend Micro)

While both execute entirely in memory to evade detection, CLNTEND operates as a DLL rather than an EXE and supports seven communication protocols compared to CXCLNT’s two.

What makes CLNTEND particularly sophisticated is its implementation of fiber-based evasion techniques. These techniques leverage Windows fiber API functions to hide malicious activities from security solutions.

The relation and overlap connecting the VENOM and TIDRONE campaigns (Source – Trend Micro)

As seen in the captured code sample below, the malware uses functions like ConvertThreadToFiber and CreateFiber to execute code in a way that’s difficult to detect:- 

hModule = hinstDLL;
ModuleHandleA = GetModuleHandleA(0);
dword_10013300 = *(_DWORD *)((char *)ModuleHandleA + *((_DWORD *)ModuleHandleA + 15) + 40);
lpFiber = ConvertThreadToFiber(0);
Fiber = (char *)CreateFiber(0, (LPFIBER_START_ROUTINE)StartAddress, 0);
dword_100132C4 = (int)Fiber;
*(_DWORD *)&Fiber[(dword_10013300 ^ 0x10EC) + 196] = (char *)sub_10001480 + (dword_10013300 ^ 0x10EC);
SwitchToFiber(Fiber);

The threat actor has also implemented multiple anti-analysis measures, including entrypoint verification via GetModuleHandle with XOR checks and execution order dependencies that prevent analysis attempts.

Additionally, the group deploys a screen capture tool called SCREENCAP, adapted from open-source code, to conduct espionage by capturing victims’ screens and sending them back to command and control servers.

The timestamps from file compilation and command execution logs align with the GMT+8 time zone, and the attacker’s tactics bear resemblance to those used by Dalbit, a threat group previously reported by AhnLab.

Organizations can protect themselves by implementing third-party risk management programs, monitoring fiber-related API usage, strengthening EDR solutions, and adopting Zero Trust Architecture to validate every connection.

How SOC Teams Save Time and Effort with ANY.RUN - Live webinar for SOC teams and managers

The post Earth Ammit Hackers Attacking Using New Tools to Attack Drones Used in Military Sectors appeared first on Cyber Security News.

Read More

Tags:

Previous Article

Windows Remote Desktop Gateway Vulnerability Let Attackers Trigger Dos Condition

Next Article

Outlook RCE Vulnerability Allows Attackers to Execute Arbitrary Code

Related Posts

F5 BIG-IP Command Injection Vulnerability Let Attackers Execute Arbitrary System Commands

F5 BIG-IP Command Injection Vulnerability Let Attackers...

May 13, 2025  0

Ransomware-as-a-Service (RaaS) Evolved as a Predominant Framework for Ransomware Attacks

Ransomware-as-a-Service (RaaS) Evolved as a Predominant...

May 8, 2025  0

Windows DWM 0-Day Vulnerability Allows Attackers to Escalate Privileges

Windows DWM 0-Day Vulnerability Allows Attackers to Esc...

May 14, 2025  0