A Chinese-speaking cyber threat group known as Earth Ammit has been found targeting a much wider range of industries than previously believed. Initially, security experts thought the group only focused on Taiwanese drone manufacturers. However, new research shows their attacks have reached far beyond that sector.
Last year, cybersecurity firm Trend Micro released a report about an Earth Ammit operation called Tidrone. At the time, experts thought this campaign only targeted military supply chains, satellite-related industries, and drone manufacturers.
A Broader and Deeper Threat
Further investigation revealed that Earth Ammit’s attacks were more widespread. The group also targeted heavy industry, media, technology, software services, healthcare, satellite supply chains, military-adjacent companies, and payment service providers in both South Korea and China.
Trend Micro found that these attacks happened in two separate waves. The first wave was the previously reported Tidrone campaign. The second wave, called “Venom,” had not been publicly disclosed until now. Unlike Tidrone, which targeted direct suppliers, Venom focused on compromising upstream software vendors. This strategy allowed Earth Ammit to later infiltrate their more valuable downstream customers.
According to Trend Micro researchers, Earth Ammit’s long-term goal is to breach trusted networks through supply chain attacks. By doing so, they can access sensitive data, steal credentials, and capture screenshots from high-value targets.
Supply Chain Tactics
Earth Ammit used software vendors and service providers as stepping stones to reach their ultimate targets. In some cases, they injected malicious code into legitimate software updates, similar to the infamous SolarWinds attack. In other cases, they hacked into technology service providers and used IT management tools to infiltrate customer systems.
Stephen Hilton, a senior threat researcher at Trend Micro, explained the difference between the two campaigns. Both Venom and Tidrone were conducted by Earth Ammit, but they had different scopes and strategies.
- Venom (2023-2024): Targeted a broad range of upstream vendors to indirectly reach high-value companies.
- Tidrone (2024): Focused on directly attacking military and satellite organizations in Taiwan through compromised service providers and ERP software.
Inside the Venom Campaign
Trend Micro reported that Earth Ammit used stealthy and hard-to-trace methods during the Venom campaign. The attackers often relied on open source tools and “living-off-the-land” techniques, making detection difficult. They exploited web server vulnerabilities, installed web shells, and set up command-and-control (C2) channels using open-source proxies.
One custom tool stood out: a modified version of the Fast Reverse Proxy Client (FRPC), named VENFRPC. This tool helped the attackers establish covert remote access and maintain control over compromised systems.
The Venom campaign primarily targeted sectors with trusted relationships to downstream clients, including heavy industry, media, technology, software services, and healthcare. By compromising these vendors, Earth Ammit could spread malware downstream to critical defense and drone-related companies.
The Tidrone Campaign: A Direct Approach
In contrast, the Tidrone campaign used a three-phase infection chain. Earth Ammit first compromised service providers to reach their target industries. They then injected malicious code into customer systems and deployed custom backdoors, specifically CXCLNT and CLTEND, for cyber espionage.
After gaining access, Earth Ammit carried out activities like:
- Privilege escalation through UAC bypass.
- Persistence techniques such as scheduled tasks.
- Credential dumping and disabling antivirus protections.
Tidrone was a direct and focused attack aimed at military and satellite sectors, especially drone manufacturers in Taiwan. This method showed a streamlined and aggressive supply chain attack targeting national security interests.
Espionage Goals
Trend Micro did not explicitly state Earth Ammit’s motives for stealing data from drone makers and other industries. However, it is widely believed that Chinese state-sponsored cyber espionage seeks to enhance China’s economic and military strength. By stealing sensitive information, China could better understand its adversaries’ capabilities, especially in emerging technologies like drones and autonomous weapons. Such intelligence gathering is crucial amid rising geopolitical tensions in the Asia-Pacific region.
