Persistent WordDrone Malware Targets Taiwan's Drone Industry with DLL Exploits

2024-10-05

Persistent WordDrone Malware Targets Taiwan's Drone Industry with DLL Exploits

A recent investigation conducted by the Acronis Threat Research Unit (TRU) has unearthed a sophisticated cyberattack targeting Taiwan’s drone manufacturing sector. This attack, dubbed WordDrone, exploits vulnerabilities in an outdated version of Microsoft Word to install a persistent backdoor on infected systems, thereby posing a significant risk to national security and industrial integrity.

The Attack: A Closer Look at WordDrone

WordDrone has specifically targeted companies within Taiwan's burgeoning drone industry, an area that has attracted considerable government investment since 2022. The strategic technological and military significance of these organizations makes them prime targets for cyber espionage and supply chain attacks.

How the Attack Works

The attackers employ a method known as DLL side-loading, which enables them to leverage a compromised version of Microsoft Word 2010. Here’s how the process unfolds:

  • Three Primary Files: When the malware infiltrates a system, it installs:

    • A legitimate version of Winword (Microsoft Word)
    • A maliciously crafted wwlib.dll file
    • An encrypted file with a random name and extension that conceals the actual payload

  • Exploitation of Vulnerabilities: The attackers exploit a known vulnerability in the older version of Microsoft Word, utilizing the legitimate Winword application to side-load the malicious DLL file. This DLL serves as a loader that decrypts and executes the true malware payload.

Evasion Techniques Employed

One of the more alarming aspects of this attack is the attackers’ use of digitally signed certificates, which allows these malware components to evade traditional detection methods. By signing some malicious DLLs with certificates that have recently expired, they manage to escape scrutiny from security systems that typically trust signed binaries.

Operational Mechanics of the Malware

Once installed, the malware triggers a series of malicious actions aimed at maintaining persistent access to the infected system:

  • Shellcode Execution: The attack begins with the execution of a shellcode stub, which decompresses and self-injects install.dll, the component responsible for establishing persistence.

  • Backdoor Functionality: The core of the attack is encapsulated in ClientEndPoint.dll, the backdoor component that allows the attackers to maintain control over the compromised system.

  • Persistence Strategies: The malware can achieve persistence using one of three methods:

    • Installing the host process as a service
    • Setting it up as a scheduled task
    • Injecting the next stage without establishing persistence

Advanced Evasion Techniques

The malware employs advanced tactics to evade detection:

  • NTDLL Unhooking: This method removes hooks set by security software to interfere with its operations, ensuring uninterrupted functionality.

  • EDR Silencing: The malware scans for known security tools and adds blocking rules in Windows Firewall, disabling their capability to detect or prevent further malicious activity.

Command-and-Control Communication

The sophistication of WordDrone extends to its Command-and-Control (C2) communication capabilities. Once installed, the malware can interact with a C2 server using different protocols:

  • TCP
  • TLS
  • HTTP
  • HTTPS
  • WebSocket

The malware features a time-based scheduling mechanism to determine when to connect to the C2 server, making it difficult for security analysts to identify and analyze its traffic.

Potential Supply Chain Vulnerability

Investigators suspect that the initial access point for this malware could be linked to a popular Taiwanese ERP software, hinting at a possible supply chain attack. By compromising such software, attackers can deploy malware across numerous organizations seamlessly.

Conclusion

The WordDrone attack remains a dire reminder of the vulnerabilities posed by outdated software and sophisticated cyberattack methods. As Taiwan's drone industry continues to expand, it is crucial for organizations to bolster their cybersecurity measures, stay informed of emerging threats, and ensure that all software is updated to mitigate the risk of similar attacks in the future.