The Acronis Threat Research Unit has released new technical details about a threat group targeting Taiwan drone manufacturers who use an outdated version of Microsoft Word.
Dubbed by Acronis as WordDrone, TRU researchers were able to uncover the tools and techniques used in the malware including EDRSilencer and Blindslide. Further, they provide an in-depth analysis of ClientEndPoint.dll, the final stage of the attack carried out in two important steps. Additional analysis of command and control communication, as well as detailed findings of post-exploitation actions, is also included in the findings.
Acronis’ summary of the attack is as follows: TRU researchers uncovered a strangely behaving process in the 2010 version of Microsoft Word after being alerted to a customer complaint of Acronis XDR detecting suspicious activity of Winword when it could not determine what document was loaded. The request was unusual due to a path and command line being used with a never before seen “SvcLoad” parameter, while also reporting another version of Winword was already deployed on the workstation. It was then determined the 2010 version of Winword was being used and setup as a service for persistence.
Acronis observed similar cases across multiple environments between April and July 2024. The first stage of the attacks seemed to be focused on Windows Desktop machines, while in the second stage attackers were trying to move over to Windows servers.
There are about a dozen companies in Taiwan participating in drone manufacturing, often for OEM purposes, and even more if looking at their global aerospace industry. The country has always been a US ally, and that, coupled with Taiwan’s strong technological background, makes them a prime target for adversaries interested in military espionage or supply chain attacks.
The presence of a highly outdated version of Winword is not necessarily a sign of malicious activity by default. However, when its execution is coupled with an unusual command line, and there is no visible sign of any document being loaded, it raises concerns immediately. Our case reflects the fact that motivated and sophisticated threat actors are scaling down from the enterprise level to the midmarket and even to small businesses. It is not the size of the target that appeals to them, but rather the chosen victim’s profile. Small businesses should reconsider the depth of their defence, as traditional AV solutions are no longer efficient against the type of advanced threats they might face in the near future.