Clntend

CLNTEND is a sophisticated Remote Access Tool (RAT) malware first discovered in April, employed by Tidrone attackers. It supports multiple network protocols for covert communication with its command-and-control servers, making it a potent tool in the hands of cybercriminals. This malware, along with another payload named CXCLNT, was typically deployed using remote desktop tools such as the open-source UltraVNC. These advanced malware variants were spread either through Enterprise Resource Planning (ERP) software or via remote desktops, enabling them to infiltrate victims' systems without detection. The threat actors often preferred to use misquoted names for their command-and-control server domains, such as symantecsecuritycloud[.]com, microsoftsvc[.]com, and windowswns[.]com. This tactic further enabled the stealthy operation of CLNTEND and CXCLNT. The execution flow between previous and recent activities involving these two malwares revealed an evolution in the attacker's tactics, techniques, and procedures (TTPs), demonstrating a continual refinement of their methods and tools. Both CLNTEND and CXCLNT backdoors are launched by sideloading a malicious Dynamic Link Library (DLL) through the Microsoft Word application, showcasing the attackers' innovative approach to system exploitation. The latest investigation into these TTPs and the evolution of tools like CXCLNT and CLNTEND presents a comprehensive view of the threat actor's behavior within victims' systems. It underscores the importance of maintaining robust cybersecurity measures to guard against such advanced threats.